AU Section 319
Consideration of Internal Control in a Financial Statement Audit
- (.01-.05) Introduction
- (.06 - .07) Definition of Internal Control
- (.08 - .13) Relationship Between Objectives and Components
- (.14 - .15) Application of Components to a Financial Statement Audit
- (.16 - .20) Effect of Information Technology on Internal Control
- (.21 - .24) Limitations of an Entity's Internal Control
- (.25 - .61) Obtaining an Understanding of Internal Control
- (.62 - .83) Assessing Control Risk
- (.84 - .89) Relationship of Understanding to Assessing Control Risk
- (.90 - .104) Evidential Matter to Support the Assessed Level of Control Risk
- (.105 - .108) Correlation of Control Risk With Detection Risk
- (.109) Effective Date
- [.110] Appendix — Internal Control Components
Source: SAS No. 55; SAS No. 78; SAS No. 94. fn *
Effective for audits of financial statements for periods beginning on or after January 1, 1990, unless otherwise indicated.
Introduction
.01
This section provides guidance on the independent auditor’s consideration of an entity’s internal control in an audit of financial statements in accordance with generally accepted auditing standards. It defines internal control, fn 1 describes the objectives and components of internal control, and explains how an auditor should consider internal control in planning and performing an audit. In particular, this section provides guidance about implementing the second standard of field work: “A sufficient understanding of internal control is to be obtained to plan the audit and to determine the nature, timing, and extent of tests to be performed.”
.02
For audits of fiscal years ending before November 15, 2004, for accelerated filers, and before July 15, 2005, for all other issuers, click here.]
In all audits, the auditor should obtain an understanding of internal control sufficient to plan the audit by performing procedures to understand the design of controls relevant to an audit of financial statements and determining whether they have been
placed in operation. In obtaining this understanding, the auditor considers how an entity’s use of information technology (IT) fn 2 and manual procedures
may affect controls relevant to the audit. The auditor then assesses control risk for the relevant assertions embodied in the account balance, transaction class, and disclosure components of the financial statements. Regardless of the assessed level
of control risk, the auditor should perform substantive procedures for all relevant assertions related to all significant accounts and disclosures in the financial statements.
Note: Refer to paragraph A9 of Appendix A, Definitions, of PCAOB Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements for the definition of a relevant assertion and paragraphs 28-33 of PCAOB Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements for discussion of identifying relevant assertions.
.03
The auditor may determine that assessing control risk below the maximum level fn 3 for certain assertions would be effective and more efficient than performing only substantive tests. In addition, the auditor may determine that it is not practical or possible to restrict detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions. In such circumstances, the auditor should obtain evidential matter about the effectiveness of both the design and operation of controls to reduce the assessed level of control risk. Such evidential matter may be obtained from tests of controls planned and performed concurrent with or subsequent to obtaining the understanding. fn 4 Such evidential matter also may be obtained from procedures that were not specifically planned as tests of controls but that nevertheless provide evidential matter about the effectiveness of the design and operation of the controls. For certain assertions, the auditor may desire to further reduce the assessed level of control risk. In such cases, the auditor considers whether evidential matter sufficient to support a further reduction is likely to be available and whether performing additional tests of controls to obtain such evidential matter would be efficient.
.04
Alternatively, the auditor may assess control risk at the maximum level because he or she believes controls are unlikely to pertain to an assertion or are unlikely to be effective, or because evaluating the effectiveness of controls would be inefficient. However, the auditor needs to be satisfied that performing only substantive tests would be effective in restricting detection risk to an acceptable level. When evidence of an entity’s initiation, recording, or processing of financial data exists only in electronic form, the auditor’s ability to obtain the desired assurance only from substantive tests would significantly diminish.
.05
The auditor uses the understanding of internal control and the assessed level of control risk in determining the nature, timing, and extent of substantive tests for financial statement assertions.
Definition of Internal Control
.06
Internal control is a process—effected by an entity’s board of directors, management, and other personnel—designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (a) reliability of financial reporting, (b) effectiveness and efficiency of operations, and (c) compliance with applicable laws and regulations.
.07
Internal control consists of five interrelated components:
- Control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
- Risk assessment is the entity’s identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed.
- Control activities are the policies and procedures that help ensure that management directives are carried out.
- Information and communication systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
- Monitoring is a process that assesses the quality of internal control performance over time.
Relationship Between Objectives and Components
.08
There is a direct relationship between objectives, which are what an entity strives to achieve, and components, which represent what is needed to achieve the objectives. In addition, internal control is relevant to the entire entity, or to any of its operating units or business functions. This relationship is depicted as follows:
.09
Although an entity's internal control addresses objectives in each of the categories referred to in paragraph .06, not all of these objectives and related controls are relevant to an audit of the entity's financial statements. Also, although internal control is relevant to the entire entity or to any of its operating units or business functions, an understanding of internal control relevant to each of the entity's operating units and business functions may not be necessary to plan and perform an effective audit.
Note: When performing an integrated audit of financial statements and internal control over financial reporting, refer to paragraphs B10 - B16 of Appendix B, Special Topics, of PCAOB Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, for discussion of considerations when a company has multiple locations or business units.
Financial Reporting Objective
.10
Generally, controls that are relevant to an audit pertain to the entity's objective of preparing financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles or a comprehensive basis of accounting other than generally accepted accounting principles. fn 5
Operations and Compliance Objectives
.11
The controls relating to operations and compliance fn 6 objectives may be relevant to an audit if they pertain to data the auditor evaluates or uses in applying auditing procedures. For example, controls pertaining to nonfinancial data that the auditor uses in analytical procedures, such as production statistics, or pertaining to detecting noncompliance with laws and regulations that may have a direct and material effect on the financial statements, such as controls over compliance with income tax laws and regulations used to determine the income tax provision, may be relevant to an audit.
.12
An entity generally has controls relating to objectives that are not relevant to an audit and therefore need not be considered. For example, controls concerning compliance with health and safety regulations or concerning the effectiveness and efficiency of certain management decision-making processes (such as the appropriate price to charge for its products or whether to make expenditures for certain research and development or advertising activities), although important to the entity, ordinarily do not relate to a financial statement audit. Similarly, an entity may rely on a sophisticated system of automated controls to provide efficient and effective operations (such as a commercial airline's system of automated controls to maintain flight schedules), but these controls ordinarily would not be relevant to the financial statement audit and therefore need not be considered.
Safeguarding of Assets
.13
Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition may include controls relating to financial reporting and operations objectives. This relationship is depicted as follows:
In obtaining an understanding of each of the components of internal control to plan the audit, the auditor's consideration of safeguarding controls is generally limited to those relevant to the reliability of financial reporting. For example, use of a lockbox system for collecting cash or access controls, such as passwords, that limit access to the data and programs that process cash disbursements may be relevant to a financial statement audit. Conversely, controls to prevent the excess use of materials in production generally are not relevant to a financial statement audit.
Application of Components to a Financial Statement Audit
.14
The division of internal control into five components provides a useful framework for auditors to consider the impact of an entity's internal control in an audit. However, it does not necessarily reflect how an entity considers and implements internal control. Also, the auditor's primary consideration is whether a specific control affects financial statement assertions rather than its classification into any particular component. Controls relevant to the audit are those that individually or in combination with others are likely to prevent or detect material misstatements in financial statement assertions. Such controls may exist in any of the five components.
.15
The five components of internal control are applicable to the audit of every entity. The components should be considered in the context of—
- The entity's size.
- The entity's organization and ownership characteristics.
- The nature of the entity's business.
- The diversity and complexity of the entity's operations.
- Applicable legal and regulatory requirements.
- The nature and complexity of the systems that are part of the entity's internal control, including the use of service organizations. fn 7
Effect of Information Technology on Internal Control
.16
An entity’s use of IT may affect any of the five components of internal control relevant to the achievement of the entity’s financial reporting, operations, or compliance objectives, and its operating units or business functions. For example, an entity may use IT as part of discrete systems that support only particular business units, functions, or activities, such as a unique accounts receivable system for a particular business unit or a system that controls the operation of factory equipment. Alternatively, an entity may have complex, highly integrated systems that share data and that are used to support all aspects of the entity’s financial reporting, operations, and compliance objectives.
.17
The use of IT also affects the fundamental manner in which transactions are initiated, recorded, processed, and reported. fn 8 In a manual system, an entity uses manual procedures and records in paper format (for example, individuals may manually record sales orders on paper forms or journals, authorize credit, prepare shipping reports and invoices, and maintain accounts receivable records). Controls in such a system also are manual and may include such procedures as approvals and reviews of activities, and reconciliations and follow-up of reconciling items. Alternatively, an entity may have information systems that use automated procedures to initiate, record, process, and report transactions, in which case records in electronic format replace such paper documents as purchase orders, invoices, shipping documents, and related accounting records. Controls in systems that use IT consist of a combination of automated controls (for example, controls embedded in computer programs) and manual controls. Further, manual controls may be independent of IT, may use information produced by IT, or may be limited to monitoring the effective functioning of IT and of automated controls, and to handling exceptions. An entity’s mix of manual and automated controls varies with the nature and complexity of the entity’s use of IT.
.18
IT provides potential benefits of effectiveness and efficiency for an entity’s internal control because it enables an entity to—
- Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions or data.
- Enhance the timeliness, availability, and accuracy of information.
- Facilitate the additional analysis of information.
- Enhance the ability to monitor the performance of the entity’s activities and its policies and procedures.
- Reduce the risk that controls will be circumvented.
- Enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems.
.19
IT also poses specific risks to an entity’s internal control, including—
- Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both.
- Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions.
- Unauthorized changes to data in master files.
- Unauthorized changes to systems or programs.
- Failure to make necessary changes to systems or programs.
- Inappropriate manual intervention.
- Potential loss of data.
.20
The extent and nature of these risks to internal control vary depending on the nature and characteristics of the entity’s information system. For example, multiple users, either external or internal, may access a common database of information that affects financial reporting. In such circumstances, a lack of control at a single user entry point might compromise the security of the entire database, potentially resulting in improper changes to or destruction of data. When IT personnel or users are given, or can gain, access privileges beyond those necessary to perform their assigned duties, a breakdown in segregation of duties can occur. This could result in unauthorized transactions or changes to programs or data that affect the financial statements. Therefore, the nature and characteristics of an entity’s use of IT in its information system affect the entity’s internal control.
Limitations of an Entity's Internal Control
.21
Internal control, no matter how well designed and operated, can provide only reasonable assurance of achieving an entity's control objectives. The likelihood of achievement is affected by limitations inherent to internal control. These include the realities that human judgment in decision-making can be faulty and that breakdowns in internal control can occur because of human failures such as simple errors or mistakes. For example, errors may occur in designing, maintaining, or monitoring automated controls. If an entity’s IT personnel do not completely understand how an order entry system processes sales transactions, they may erroneously design changes to the system to process sales for a new line of products. On the other hand, such changes may be correctly designed but misunderstood by individuals who translate the design into program code. Errors also may occur in the use of information produced by IT. For example, automated controls may be designed to report transactions over a specified dollar limit for management review, but individuals responsible for conducting the review may not understand the purpose of such reports and, accordingly, may fail to review them or investigate unusual items.
.22
Additionally, controls, whether manual or automated, can be circumvented by the collusion of two or more people or inappropriate management override of internal control. For example, management may enter into side agreements with customers that alter the terms and conditions of the entity’s standard sales contract in ways that would preclude revenue recognition. Also, edit routines in a software program that are designed to identify and report transactions that exceed specified credit limits may be overridden or disabled.
.23
Internal control is influenced by the quantitative and qualitative estimates and judgments made by management in evaluating the cost-benefit relationship of an entity’s internal control. The cost of an entity's internal control should not exceed the benefits that are expected to be derived. Although the cost-benefit relationship is a primary criterion that should be considered in designing internal control, the precise measurement of costs and benefits usually is not possible.
.24
Custom, culture, and the corporate governance system may inhibit fraud, but they are not absolute deterrents. An effective control environment, too, may help reduce the risk of fraud. For example, an effective board of directors, audit committee, and internal audit function may constrain improper conduct by management. Alternatively, the control environment may reduce the effectiveness of other components. For example, when the nature of management incentives increases the risk of material misstatement of financial statements, the effectiveness of control activities may be reduced.
Obtaining an Understanding of Internal Control
.25
In all audits, the auditor should obtain an understanding of each of the five components of internal control sufficient to plan the audit. A sufficient understanding is obtained by performing procedures to understand the design of controls relevant to an audit of financial statements and determining whether they have been placed in operation. In planning the audit, such knowledge should be used to—
- Identify types of potential misstatement.
- Consider factors that affect the risk of material misstatement.
- Design tests of controls, when applicable. Paragraphs .65 through .69 of this section discuss factors the auditor considers in determining whether to perform tests of controls.
- Design substantive tests.
.26
The nature, timing, and extent of procedures the auditor chooses to perform to obtain the understanding will vary depending on the size and complexity of the entity, previous experience with the entity, the nature of the specific controls used by the entity including the entity’s use of IT, the nature and extent of changes in systems and operations, and the nature of the entity's documentation of specific controls. For example, the understanding of risk assessment needed to plan an audit for an entity operating in a relatively stable environment may be limited. Also, the understanding of monitoring needed to plan an audit for a small, noncomplex entity may be limited. Similarly, the auditor may need only a limited understanding of control activities to plan an audit for a noncomplex entity that has significant owner-manager approval and review of transactions and accounting records. On the other hand, the auditor may need a greater understanding of control activities to plan an audit for an entity that has a large volume of revenue transactions and that relies on IT to measure and bill for services based on a complex, frequently changing rate structure.
.27
Whether a control has been placed in operation at a point in time is different from its operating effectiveness over a period of time. In obtaining knowledge about whether controls have been placed in operation, the auditor determines that the entity is using them. Operating effectiveness, on the other hand, is concerned with how the control (whether manual or automated) was applied, the consistency with which it was applied, and by whom it was applied. The auditor determines whether controls have been placed in operation as part of the understanding of internal control necessary to plan the audit. The auditor evaluates the operating effectiveness of controls as part of assessing control risk, as discussed in paragraphs .62 through .83 of this section. Although understanding internal control and assessing control risk are discussed separately in this section, they may be performed concurrently in an audit. Furthermore, some of the procedures performed to obtain the understanding may provide evidential matter about the operating effectiveness of controls relevant to certain assertions.
.28
The auditor's understanding of internal control may sometimes raise doubts about the auditability of an entity's financial statements. Concerns about the integrity of the entity's management may be so serious as to cause the auditor to conclude that the risk of management misrepresentation in the financial statements is such that an audit cannot be conducted. Concerns about the nature and extent of an entity's records may cause the auditor to conclude that it is unlikely that sufficient competent evidential matter will be available to support an opinion on the financial statements.
Understanding of Internal Control Necessary to Plan the Audit
.29
In making a judgment about the understanding of internal control necessary to plan the audit, the auditor considers the knowledge obtained from other sources about the types of misstatement that could occur, the risk that such misstatements may occur, and the factors that influence the design of tests of controls, when applicable, and substantive tests. Other sources of such knowledge include information from previous audits and the auditor’s understanding of the industry and market in which the entity operates. The auditor also considers his or her assessment of inherent risk, judgments about materiality, and the complexity and sophistication of the entity's operations and systems, including the extent to which the entity relies on manual controls or on automated controls.
.30
In making a judgment about the understanding of internal control necessary to plan the audit, the auditor also considers IT risks that could result in misstatements. For example, if an entity uses IT to perform complex calculations, the entity receives the benefit of having the calculations consistently performed. However, the use of IT also presents risks, such as the risk that improperly authorized, incorrectly defined, or improperly implemented changes to the system or programs performing the calculations, or to related program tables or master files, could result in consistently performing those calculations inaccurately. As an entity's operations and systems become more complex and sophisticated, it becomes more likely that the auditor would need to increase his or her understanding of the internal control components to obtain the understanding necessary to design tests of controls, when applicable, and substantive tests.
.31
The auditor should consider whether specialized skills are needed for the auditor to determine the effect of IT on the audit, to understand the IT controls, or to design and perform tests of IT controls or substantive tests. A professional possessing IT skills may be either on the auditor’s staff or an outside professional. In determining whether such a professional is needed on the audit team, the auditor considers factors such as the following:
- The complexity of the entity’s systems and IT controls and the manner in which they are used in conducting the entity’s business
- The significance of changes made to existing systems, or the implementation of new systems
- The extent to which data is shared among systems
- The extent of the entity’s participation in electronic commerce
- The entity’s use of emerging technologies
- The significance of audit evidence that is available only in electronic form
.32
Procedures that the auditor may assign to a professional possessing IT skills include inquiring of an entity’s IT personnel how data and transactions are initiated, recorded, processed, and reported and how IT controls are designed; inspecting systems documentation; observing the operation of IT controls; and planning and performing tests of IT controls. If the use of a professional possessing IT skills is planned, the auditor should have sufficient IT-related knowledge to communicate the audit objectives to the professional, to evaluate whether the specified procedures will meet the auditor’s objectives, and to evaluate the results of the procedures as they relate to the nature, timing, and extent of other planned audit procedures. fn 9
.33
Paragraphs .34 through .57 of this section provide an overview of the five internal control components and the auditor's understanding of the components relating to a financial statement audit.
Control Environment
.34
The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the following:
- Integrity and ethical values
- Commitment to competence
- Board of directors or audit committee participation
- Management's philosophy and operating style
- Organizational structure
- Assignment of authority and responsibility
- Human resource policies and practices
.35
The auditor should obtain sufficient knowledge of the control environment to understand management's and the board of directors' attitude, awareness, and actions concerning the control environment, considering both the substance of controls and their collective effect. The auditor should concentrate on the substance of controls rather than their form, because controls may be established but not acted upon. For example, management may establish a formal code of conduct but act in a manner that condones violations of that code.
.36
When obtaining an understanding of the control environment, the auditor considers the collective effect on the control environment of strengths and weaknesses in various control environment factors. Management's strengths and weaknesses may have a pervasive effect on internal control. For example, owner-manager controls may mitigate a lack of segregation of duties in a small business, or an active and independent board of directors may influence the philosophy and operating style of senior management in larger entities. Alternatively, management’s failure to commit sufficient resources to address security risks presented by IT may adversely affect internal control by allowing improper changes to be made to computer programs or to data, or by allowing unauthorized transactions to be processed. Similarly, human resource policies and practices directed toward hiring competent financial, accounting, and IT personnel may not mitigate a strong bias by top management to overstate earnings.
Risk Assessment
.37
An entity's risk assessment for financial reporting purposes is its identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with generally accepted accounting principles. For example, risk assessment may address how the entity considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements. Risks relevant to reliable financial reporting also relate to specific events or transactions.
.38
Risks relevant to financial reporting include external and internal events and circumstances that may occur and adversely affect an entity's ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. fn 10 Risks can arise or change due to circumstances such as the following:
- Changes in operating environment
- New personnel
- New or revamped information systems
- Rapid growth
- New technology
- New business models, products, or activities
- Corporate restructurings
- Expanded foreign operations
- New accounting pronouncements
.39
The auditor should obtain sufficient knowledge of the entity's risk assessment process to understand how management considers risks relevant to financial reporting objectives and decides about actions to address those risks. This knowledge might include understanding how management identifies risks, estimates the significance of the risks, assesses the likelihood of their occurrence, and relates them to financial reporting. The use of IT may be an important element in an entity’s risk assessment process, including providing timely information to facilitate the identification and management of risks.
.40
An entity's risk assessment differs from the auditor's consideration of audit risk in a financial statement audit. The purpose of an entity's risk assessment is to identify, analyze, and manage risks that affect entity objectives. In a financial statement audit, the auditor assesses inherent and control risks to evaluate the likelihood that material misstatements could occur in the financial statements.
Control Activities
.41
Control activities are the policies and procedures that help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities, whether automated or manual, have various objectives and are applied at various organizational and functional levels. Generally, control activities that may be relevant to an audit may be categorized as policies and procedures that pertain to the following:
- Performance reviews
- Information processing
- Physical controls
- Segregation of duties
.42
The auditor should obtain an understanding of those control activities relevant to planning the audit. As the auditor obtains an understanding of the other components, he or she is also likely to obtain knowledge about some control activities. For example, in obtaining an understanding of the documents, records, and processing steps in the financial reporting information system that pertain to cash, the auditor is likely to become aware of whether bank accounts are reconciled. The auditor should consider the knowledge about the presence or absence of control activities obtained from the understanding of the other components in determining whether it is necessary to devote additional attention to obtaining an understanding of control activities to plan the audit. Ordinarily, audit planning does not require an understanding of the control activities related to each account balance, transaction class, and disclosure component in the financial statements or to every assertion relevant to them.
Note: For purposes of evaluating the effectiveness of internal control over financial reporting, the auditor's understanding of control activities encompasses a broader range of accounts and disclosures than what is normally obtained in a financial statement audit.
.43
The auditor should obtain an understanding of how IT affects control activities that are relevant to planning the audit. Some entities and auditors may view the IT control activities in terms of application controls and general controls. Application controls apply to the processing of individual applications. Accordingly, application controls relate to the use of IT to initiate, record, process, and report transactions or other financial data. These controls help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed. Examples include edit checks of input data, numerical sequence checks, and manual follow-up of exception reports.
.44
Application controls may be performed by IT (for example, automated reconciliation of subsystems) or by individuals. When application controls are performed by people interacting with IT, they may be referred to as user controls. The effectiveness of user controls, such as reviews of computer-produced exception reports or other information produced by IT, may depend on the accuracy of the information produced. For example, a user may review an exception report to identify credit sales over a customer’s authorized credit limit without performing procedures to verify its accuracy. In such cases, the effectiveness of the user control (that is, the review of the exception report) depends on both the effectiveness of the user review and the accuracy of the information in the report produced by IT.
.45
General controls are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General controls commonly include controls over data center and network operations; system software acquisition and maintenance; access security; and application system acquisition, development, and maintenance.
.46
The use of IT affects the way that control activities are implemented. For example, when IT is used in an information system, segregation of duties often is achieved by implementing security controls.
Information and Communication
.47
The information system relevant to financial reporting objectives, which includes the accounting system, consists of the procedures, whether automated or manual, and records established to initiate, record, process, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity. The quality of system-generated information affects management's ability to make appropriate decisions in controlling the entity's activities and to prepare reliable financial reports.
.48
Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting.
.49
The auditor should obtain sufficient knowledge of the information system relevant to financial reporting to understand—
- The classes of transactions in the entity's operations that are significant to the financial statements.
- The procedures, both automated and manual, by which transactions are initiated, recorded, processed, and reported from their occurrence to their inclusion in the financial statements.
- The related accounting records, whether electronic or manual, supporting information, and specific accounts in the financial statements involved in initiating, recording, processing, and reporting transactions.
- How the information system captures other events and conditions that are significant to the financial statements.
- The financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and disclosures.
.50
When IT is used to initiate, record, process, or report transactions or other financial data for inclusion in financial statements, the systems and programs may include controls related to the corresponding assertions for significant accounts or may be critical to the effective functioning of manual controls that depend on IT.
.51
In obtaining an understanding of the financial reporting process, the auditor should understand the automated and manual procedures an entity uses to prepare financial statements and related disclosures, and how misstatements may occur. Such procedures include—
- The procedures used to enter transaction totals into the general ledger. In some information systems, IT may be used to automatically transfer such information from transaction processing systems to general ledger or financial reporting systems. The automated processes and controls in such systems may reduce the risk of inadvertent error but do not overcome the risk that individuals may inappropriately override such automated processes, for example, by changing the amounts being automatically passed to the general ledger or financial reporting system. Furthermore, in planning the audit, the auditor should be aware that when IT is used to automatically transfer information there may be little or no visible evidence of such intervention in the information systems.
- The procedures used to initiate, record, and process journal entries in the general ledger. An entity’s financial reporting process used to prepare the financial statements typically includes the use of standard journal entries that are required on a recurring basis to record transactions such as monthly sales, purchases, and cash disbursements, or to record accounting estimates that are periodically made by management such as changes in the estimate of uncollectible accounts receivable. An entity’s financial reporting process also includes the use of nonstandard journal entries to record nonrecurring or unusual transactions or adjustments such as a business combination or disposal, or a nonrecurring estimate such as an asset impairment. In manual, paper-based general ledger systems, such journal entries may be identified through inspection of ledgers, journals, and supporting documentation. However, when IT is used to maintain the general ledger and prepare financial statements, such entries may exist only in electronic form and may be more difficult to identify through physical inspection of printed documents.
- Other procedures used to record recurring and nonrecurring adjustments to the financial statements. These are procedures that are not reflected in formal journal entries, such as consolidating adjustments, report combinations, and reclassifications.
.52
The auditor also should obtain sufficient knowledge of the means the entity uses to communicate financial reporting roles and responsibilities and significant matters relating to financial reporting.
Monitoring
.53
An important management responsibility is to establish and maintain internal control. Management monitors controls to consider whether they are operating as intended and that they are modified as appropriate for changes in conditions.
.54
Monitoring is a process that assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. This process is accomplished through ongoing activities, separate evaluations, or a combination of the two. In many entities, internal auditors or personnel performing similar functions contribute to the monitoring of an entity's activities. Monitoring activities may include using information from communications from external parties such as customer complaints and regulator comments that may indicate problems or highlight areas in need of improvement. In many entities, much of the information used in monitoring may be produced by the entity’s information system. If management assumes that data used for monitoring are accurate without having a basis for that assumption, errors may exist in the information, potentially leading management to incorrect conclusions from its monitoring activities.
.55
The auditor should obtain sufficient knowledge of the major types of activities the entity uses to monitor internal control over financial reporting, including the source of the information related to those activities, and how those activities are used to initiate corrective actions. When obtaining an understanding of the internal audit function, the auditor should follow the guidance in section 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements, paragraphs .04 through .08.
Application to Small and Midsized Entities
.56
The way in which the objectives of internal control are achieved will vary based on an entity's size and complexity, among other considerations. Specifically, small and midsized entities may use less formal means to ensure that internal control objectives are achieved. For example, smaller entities with active management involvement in the financial reporting process may not have extensive descriptions of accounting procedures, sophisticated information systems, or written policies. Smaller entities may not have a written code of conduct but, instead, develop a culture that emphasizes the importance of integrity and ethical behavior through oral communication and by management example. Similarly, smaller entities may not have an independent or outside member on their board of directors.
.57
When small or midsized entities are involved in complex transactions or are subject to legal and regulatory requirements also found in larger entities, more formal means of ensuring that internal control objectives are achieved may be present. Also, small and midsized entities may use IT in various ways to achieve their objectives. For example, a small entity may use sophisticated applications of IT as part of its information system. The impact of IT on an entity’s internal control is related more to the nature and complexity of the systems in use than to the entity’s size.
Procedures to Obtain Understanding
.58
In obtaining an understanding of controls that are relevant to audit planning, the auditor should perform procedures to obtain sufficient knowledge about the design of the relevant controls pertaining to each of the five internal control components and determine whether they have been placed in operation. This knowledge is ordinarily obtained through previous experience with the entity and procedures such as inquiries of appropriate management, supervisory, and staff personnel; inspection of entity documents and records; and observation of entity activities and operations. The nature and extent of the procedures performed generally vary from entity to entity and are influenced by the size and complexity of the entity, the auditor's previous experience with the entity, the nature of the particular control, and the nature of the entity's documentation of specific controls.
.59
For example, the auditor's prior experience with the entity may provide an understanding of its classes of transactions. Inquiries of appropriate entity personnel and inspection of documents and records, such as source documents, journals, and ledgers, may provide an understanding of the accounting records. Similarly, in obtaining an understanding of the design of automated controls and determining whether they have been placed in operation, the auditor may make inquiries of appropriate entity personnel and inspect relevant systems documentation, reports (for example, exception reports or reports evidencing the processing of transactions or application of other controls), or other documents.
.60
The auditor's assessments of inherent risk and judgments about materiality for various account balances and transaction classes also affect the nature and extent of the procedures performed to obtain the understanding. For example, the auditor may conclude that planning the audit of the prepaid insurance account does not require specific procedures to be included in obtaining the understanding of internal control.
Documenting the Understanding
.61
The auditor should document the understanding of the entity's internal control components obtained to plan the audit. The form and extent of this documentation is influenced by the nature and complexity of the entity's controls. For example, documentation of the understanding of internal control of a complex information system in which a large volume of transactions are electronically initiated, recorded, processed, or reported may include flowcharts, questionnaires, or decision tables. For an information system making limited or no use of IT or for which few transactions are processed (for example, long-term debt), documentation in the form of a memorandum may be sufficient. Generally, the more complex the entity’s internal control and the more extensive the procedures performed by the auditor, the more extensive the auditor's documentation should be.
Assessing Control Risk
.62
Section 326, Evidential Matter, states that most of the independent auditor's work in forming an opinion on financial statements consists of obtaining and evaluating evidential matter concerning the assertions in such financial statements. These assertions are embodied in the account balance, transaction class, and disclosure components of financial statements and are classified according to the following broad categories:
- Existence or occurrence
- Completeness
- Rights and obligations
- Valuation or allocation
- Presentation and disclosure
In planning and performing an audit, an auditor considers these assertions in the context of their relationship to a specific account balance or class of transactions.
.63
The risk of material misstatement fn 11 in financial statement assertions consists of inherent risk, control risk, and detection risk. Inherent risk is the susceptibility of an assertion to a material misstatement assuming there are no related controls. Control risk is the risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by the entity's internal control. Detection risk is the risk that the auditor will not detect a material misstatement that exists in an assertion.
.64
Assessing control risk is the process of evaluating the effectiveness of an entity's internal control in preventing or detecting material misstatements in the financial statements. Control risk should be assessed in terms of financial statement assertions.
.65
After obtaining the understanding of internal control, the auditor may assess control risk at the maximum level fn 12 for some or all assertions because he or she believes controls are unlikely to pertain to an assertion or are unlikely to be effective, or because evaluating the effectiveness of controls would be inefficient. However, the auditor needs to be satisfied that performing only substantive tests would be effective in restricting detection risk to an acceptable level. For example, the auditor may determine that performing only substantive tests would be effective and more efficient than performing tests of controls for assertions related to fixed assets and to long-term debt in an entity where a limited number of transactions are related to those financial statement components, and when the auditor can readily obtain corroborating evidence in the form of documents and confirmations. In circumstances where the auditor is performing only substantive tests in restricting detection risk to an acceptable level and where the information used by the auditor to perform such substantive tests is produced by the entity's information system, the auditor should obtain evidence about the accuracy and completeness of the information.
.66
In other circumstances, the auditor may determine that assessing control risk below the maximum level for certain assertions would be effective and more efficient than performing only substantive tests. In addition, the auditor may determine that it is not practical or possible to restrict detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions. In such circumstances, the auditor should obtain evidential matter about the effectiveness of both the design and operation of controls to reduce the assessed level of control risk. fn 13
.67
In determining whether assessing control risk at the maximum level or at a lower level would be an effective approach for specific assertions, the auditor should consider—
- The nature of the assertion.
- The volume of transactions or data related to the assertion.
- The nature and complexity of the systems, including the use of IT, by which the entity processes and controls information supporting the assertion.
- The nature of the available evidential matter, including audit evidence that is available only in electronic form.
.68
In circumstances where a significant amount of information supporting one or more financial statement assertions is electronically initiated, recorded, processed, or reported, the auditor may determine that it is not possible to design effective substantive tests that by themselves would provide sufficient evidence that the assertions are not materially misstated. For such assertions, significant audit evidence may be available only in electronic form. In such cases, its competence and sufficiency as evidential matter usually depend on the effectiveness of controls over its accuracy and completeness. Furthermore, the potential for improper initiation or alteration of information to occur and not be detected may be greater if information is initiated, recorded, processed, or reported only in electronic form and appropriate controls are not operating effectively. In such circumstances, the auditor should perform tests of controls to gather evidential matter to use in assessing control risk.
.69
Examples of situations where the auditor may find it impossible to design effective substantive tests that by themselves would provide sufficient evidence that certain assertions are not materially misstated include the following:
- An entity that conducts business using IT to initiate orders for goods based on predetermined decision rules and to pay the related payables based on system-generated information regarding receipt of goods. No other documentation of orders or goods received is produced or maintained.
- An entity that provides electronic services to customers (for example, an Internet service provider or a telephone company) and uses IT to log services provided to users, initiate bills for the services, process the billing transactions, and automatically record such amounts in electronic accounting records that are used to produce the financial statements.
Assessing Control Risk Below the Maximum Level
.70
Assessing control risk below the maximum level involves fn 14 —
- Identifying specific controls relevant to specific assertions.
- Performing tests of controls.
- Concluding on the assessed level of control risk.
Identifying Specific Controls Relevant to Specific Assertions
.71
The auditor’s understanding about internal control should be used to identify the types of potential misstatements that could occur and to consider factors that affect the risk of material misstatement. In assessing control risk, the auditor should identify the controls that are likely to prevent or detect material misstatement in specific assertions. In identifying controls relevant to specific financial statement assertions, the auditor should consider that the controls can have either a pervasive effect on many assertions or a specific effect on an individual assertion, depending on the nature of the particular internal control component involved. For example, the conclusion that an entity's control environment is highly effective may influence the auditor's decision about the number of an entity's locations at which auditing procedures are to be performed or whether to perform certain auditing procedures for some account balances or transaction classes at an interim date. Either decision affects the way in which auditing procedures are applied to specific assertions, even though the auditor may not have specifically considered each individual assertion that is affected by such decisions.
.72
Conversely, some control activities may have a specific effect on an individual assertion embodied in a particular account balance or transaction class. For example, the control activities that an entity established to ensure that its personnel are properly counting and recording the annual physical inventory relate directly to the existence assertion for the inventory account balance.
.73
Controls can be either directly or indirectly related to an assertion. The more indirect the relationship, the less effective that control may be in reducing control risk for that assertion. For example, a sales manager's review of a summary of sales activity for specific stores by region ordinarily is indirectly related to the completeness assertion for sales revenue. Accordingly, it may be less effective in reducing control risk for that assertion than controls more directly related to that assertion, such as matching shipping documents with billing documents.
.74
General controls relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. The auditor should consider the need to identify not only application controls directly related to one or more assertions, but also relevant general controls.
Performing Tests of Controls
.75
Procedures directed toward evaluating the effectiveness of the design of a control are concerned with whether that control is suitably designed to prevent or detect material misstatements in specific financial statement assertions. Procedures to obtain such evidential matter ordinarily include inquiries of appropriate entity personnel; inspection of documents, reports, or electronic files; and observation of the application of specific controls. For entities with complex internal control, the auditor should consider the use of flowcharts, questionnaires, or decision tables to facilitate the application of procedures directed toward evaluating the effectiveness of the design of a control.
.76
Procedures to obtain evidential matter about the effectiveness of the operation of a control are referred to as tests of controls (paragraphs .90 through .104 of this section discuss characteristics of evidential matter to consider when performing tests of controls). Tests of controls directed toward the operating effectiveness of a control are concerned with how the control (whether manual or automated) was applied, the consistency with which it was applied during the audit period, and by whom it was applied. These tests ordinarily include procedures such as inquiries of appropriate entity personnel; inspection of documents, reports, or electronic files, indicating performance of the control; observation of the application of the control; and reperformance of the application of the control by the auditor. In some circumstances, a specific procedure may address the effectiveness of both design and operation. However, a combination of procedures may be necessary to evaluate the effectiveness of the design or operation of a control.
.77
In designing tests of automated controls, the auditor should consider the need to obtain evidence supporting the effective operation of controls directly related to the assertions as well as other indirect controls on which these controls depend. For example, the auditor may identify a “user review of an exception report of credit sales over a customer’s authorized credit limit” as a direct control related to an assertion. In such cases, the auditor should consider the effectiveness of the user review of the report and also the controls related to the accuracy of the information in the report (for example, the general controls).
.78
Because of the inherent consistency of IT processing, the auditor may be able to reduce the extent of testing of an automated control. For example, a programmed application control should function consistently unless the program (including the tables, files, or other permanent data used by the program) is changed. Once the auditor determines that an automated control is functioning as intended (which could be done at the time the control is initially implemented or at some other date), the auditor should consider performing tests to determine that the control continues to function effectively. Such tests might include determining that changes to the program are not made without being subject to the appropriate program change controls, that the authorized version of the program is used for processing transactions, and that other relevant general controls are effective. Such tests also might include determining that changes to the programs have not been made, as may be the case when the entity uses packaged software applications without modifying or maintaining them.
.79
To test automated controls, the auditor may need to use techniques that are different from those used to test manual controls. For example, computer-assisted audit techniques may be used to test automated controls or data related to assertions. Also, the auditor may use other automated tools or reports produced by IT to test the operating effectiveness of general controls, such as program change controls, access controls, and system software controls. The auditor should consider whether specialized skills are needed to design and perform such tests of controls.
Concluding on the Assessed Level of Control Risk
.80
The conclusion reached as a result of assessing control risk is referred to as the assessed level of control risk. In determining the evidential matter necessary to support an assessed level of control risk below the maximum level, the auditor should consider the characteristics of evidential matter about control risk discussed in paragraphs .90 through .104. Generally, however, the lower the assessed level of control risk, the greater the assurance the evidential matter must provide that the controls relevant to an assertion are designed and operating effectively.
.81
The auditor uses the assessed level of control risk (together with the assessed level of inherent risk) to determine the acceptable level of detection risk for financial statement assertions. The auditor uses the acceptable level of detection risk to determine the nature, timing, and extent of the auditing procedures to be applied to the account balance or class of transactions to detect material misstatements in the financial statement assertions. Auditing procedures designed to detect such misstatements are referred to in this section as substantive tests.
.82
As the acceptable level of detection risk decreases, the assurance provided from substantive tests should increase. Consequently, the auditor may do one or more of the following:
- Change the nature of substantive tests from a less effective to a more effective procedure, such as using tests directed toward independent parties outside the entity rather than tests directed toward parties or documentation within the entity.
- Change the timing of substantive tests, such as performing them at year end rather than at an interim date.
- Change the extent of substantive tests, such as using a larger sample size.
Documenting the Assessed Level of Control Risk
.83
In addition to the documentation of the understanding of internal control discussed in paragraph .61, the auditor should document his or her conclusions about the assessed level of control risk. Conclusions about the assessed level of control risk may differ as they relate to various account balances or classes of transactions. For those financial statement assertions where control risk is assessed at the maximum level, the auditor should document his or her conclusion that control risk is at the maximum level but need not document the basis for that conclusion. For those assertions where the assessed level of control risk is below the maximum level, the auditor should document the basis for his or her conclusion that the effectiveness of the design and operation of controls supports that assessed level. The nature and extent of the auditor's documentation are influenced by the assessed level of control risk, the nature of the entity's internal control, and the nature of the entity's documentation of internal control.
Relationship of Understanding to Assessing Control Risk
.84
Although understanding internal control and assessing control risk are discussed separately in this section, they may be performed concurrently in an audit. The objective of procedures performed to obtain an understanding of internal control (discussed in paragraphs .58 through .60) is to provide the auditor with knowledge necessary for audit planning. The objective of tests of controls (discussed in paragraphs .75 through .79) is to provide the auditor with evidential matter to use in assessing control risk. However, procedures performed to achieve one objective may also pertain to the other objective.
.85
Based on the assessed level of control risk the auditor expects to support and audit efficiency considerations, the auditor often plans to perform some tests of controls concurrently with obtaining the understanding of internal control. In addition, even though some of the procedures performed to obtain the understanding were not specifically planned as tests of controls, they may nevertheless provide evidential matter about the effectiveness of both the design and operation of the controls relevant to certain assertions. For example, because of the inherent consistency of IT processing, performing procedures to determine whether an automated control has been placed in operation may serve as a test of that control’s operating effectiveness, depending on such factors as whether the program has been changed or whether there is a significant risk of unauthorized change or other improper intervention. Also, in obtaining an understanding of the control environment, the auditor may have made inquiries about management's use of budgets, observed management's comparison of monthly budgeted and actual expenses, and inspected reports pertaining to the investigation of variances between budgeted and actual amounts. Although these procedures provide knowledge about the design of the entity's budgeting policies and whether they have been placed in operation, they may also provide evidential matter about the effectiveness of the operation of budgeting policies in preventing or detecting material misstatements in the classification of expenses. In some circumstances, that evidential matter may be sufficient to support an assessed level of control risk that is below the maximum level for the presentation and disclosure assertions pertaining to expenses in the income statement.
.86
When the auditor concludes that procedures performed to obtain the understanding of internal control also provide evidential matter for assessing control risk, he or she should consider the guidance in paragraphs .90 through .104 in judging the degree of assurance provided by that evidential matter. Although such evidential matter may not provide sufficient assurance to support an assessed level of control risk that is below the maximum level for certain assertions, it may do so for other assertions and thus provide a basis for modifying the nature, timing, or extent of the substantive tests that the auditor plans for those assertions. However, such procedures are not sufficient to support an assessed level of control risk below the maximum level if they do not provide sufficient evidential matter to evaluate the effectiveness of both the design and operation of a control relevant to an assertion.
Further Reduction in the Assessed Level of Control Risk
.87
After obtaining the understanding of internal control and assessing control risk, the auditor may desire to further reduce the assessed level of control risk for certain assertions. In such cases, the auditor considers whether additional evidential matter sufficient to support a further reduction is likely to be available, and whether it would be efficient to perform tests of controls to obtain that evidential matter. The results of the procedures performed to obtain the understanding of internal control, as well as pertinent information from other sources, help the auditor to evaluate those two factors.
.88
In considering efficiency, the auditor recognizes that additional evidential matter that supports a further reduction in the assessed level of control risk for an assertion would result in less audit effort for the substantive tests of that assertion. The auditor weighs the increase in audit effort associated with the additional tests of controls that is necessary to obtain such evidential matter against the resulting decrease in audit effort associated with the reduced substantive tests.
.89
For those assertions for which the auditor performs additional tests of controls, the auditor determines the assessed level of control risk that the results of those tests will support. This assessed level of control risk is used in determining the appropriate detection risk to accept for those assertions and, accordingly, in determining the nature, timing, and extent of substantive tests for such assertions.
Evidential Matter to Support the Assessed Level of Control Risk
.90
When the auditor assesses control risk below the maximum level, he or she should obtain sufficient evidential matter to support that assessed level. The evidential matter fn 15 that is sufficient to support a specific assessed level of control risk is a matter of judgment. Evidential matter varies substantially in the assurance it provides to the auditor as he or she develops an assessed level of control risk. The type of evidential matter, its source, its timeliness, and the existence of other evidential matter related to the conclusion to which it leads all bear on the degree of assurance evidential matter provides.
.91
These characteristics influence the nature, timing, and extent of the tests of controls that the auditor applies to obtain evidential matter about control risk. The auditor selects such tests from a variety of techniques such as inquiry, observation, inspection, and reperformance of a control that pertains to an assertion. No one specific test of controls is always necessary, applicable, or equally effective in every circumstance.
Type of Evidential Matter
.92
The nature of the particular controls that pertain to an assertion influences the type of evidential matter that is available to evaluate the effectiveness of the design or operation of those controls. For some controls, documentation of design or operation may exist. In such circumstances, the auditor may decide to inspect the documentation to obtain evidential matter about the effectiveness of design or operation.
.93
For other controls, however, such documentation may not be available or relevant. For example, documentation of design or operation may not exist for some factors in the control environment, such as assignment of authority and responsibility, or for some types of control activities, such as undocumented monitoring controls or control activities performed by a computer. In such circumstances, evidential matter about the effectiveness of design or operation may be obtained through such methods as observation, inquiry, or the use of computer-assisted audit techniques.
Source of Evidential Matter
.94
Generally, evidential matter about the effectiveness of the design and operation of controls obtained directly by the auditor, such as through observation, provides more assurance than evidential matter obtained indirectly or by inference, such as through inquiry. For example, evidential matter that is obtained by the auditor's direct personal observation of the individual who applies a control generally provides more assurance than making inquiries about the application of the control. The auditor should consider, however, that the observed application of a control might not be performed in the same manner when the auditor is not present.
.95
Inquiry alone generally will not provide sufficient evidential matter to support a conclusion about the effectiveness of design or operation of a specific control. When the auditor determines that a specific control may have a significant effect in reducing control risk to a low level for a specific assertion, he or she ordinarily needs to perform additional tests to obtain sufficient evidential matter to support the conclusion about the effectiveness of the design or operation of that control.
Timeliness of Evidential Matter
.96
The timeliness of the evidential matter concerns when it was obtained and the portion of the audit period to which it applies. In evaluating the degree of assurance that is provided by evidential matter, the auditor should consider that the evidential matter obtained by some tests of controls, such as observation, pertains only to the point in time at which the auditing procedure was applied. Consequently, such evidential matter may be insufficient to evaluate the effectiveness of the design or operation of controls for periods not subjected to such tests. In such circumstances, the auditor may decide to supplement those tests with other tests of controls that are capable of providing evidential matter about the entire audit period. For example, for an application control performed by a computer program, the auditor may test the operation of the control at a particular point in time to obtain evidential matter about whether the control is operating effectively at that point in time. The auditor may then perform tests of controls directed toward obtaining evidential matter about whether the application control operated consistently during the audit period, such as tests of general controls pertaining to the modification and use of that computer program during the audit period.
.97
Evidential matter about the effective design or operation of controls that was obtained in prior audits may be considered by the auditor in assessing control risk in the current audit. To evaluate the use of such evidential matter for the current audit, the auditor should consider the significance of the assertion involved, the specific controls that were evaluated during the prior audits, the degree to which the effective design and operation of those controls were evaluated, the results of the tests of controls used to make those evaluations, and the evidential matter about design or operation that may result from substantive tests performed in the current audit. The auditor should also consider that the longer the time elapsed since tests of controls were performed to obtain evidential matter about control risk, the less assurance they may provide.
Note: When performing an integrated audit of financial statements and internal control over financial reporting, refer to paragraph 54 of PCAOB Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, for discussion on the extent of tests of controls.
.98
When considering evidential matter obtained from prior audits, the auditor should obtain evidential matter in the current period about whether changes have occurred in internal control, including its policies, procedures, and personnel, subsequent to the prior audits, as well as the nature and extent of any such changes. For example, in performing the prior audit, the auditor may have determined that an automated control was functioning as intended. The auditor should obtain evidence to determine whether changes to the automated control have been made that would affect its continued effective functioning. Consideration of evidential matter about these changes, together with the considerations in the preceding paragraph, may support either increasing or decreasing the evidential matter about the effectiveness of design and operation to be obtained in the current period.
.99
When the auditor obtains evidential matter about the design or operation of controls during an interim period, he or she should determine what additional evidential matter should be obtained for the remaining period. In making that determination, the auditor should consider the significance of the assertion involved, the specific controls that were evaluated during the interim period, the degree to which the effective design and operation of those controls were evaluated, the results of the tests of controls used to make that evaluation, the length of the remaining period, and the evidential matter about design or operation that may result from the substantive tests performed in the remaining period. The auditor should obtain evidential matter about the nature and extent of any significant changes in internal control, including its policies, procedures, and personnel, that occur subsequent to the interim period.
Interrelationship of Evidential Matter
.100
The auditor should consider the combined effect of various types of evidential matter relating to the same assertion in evaluating the degree of assurance that evidential matter provides. In some circumstances, a single type of evidential matter may not be sufficient to evaluate the effective design or operation of a control. To obtain sufficient evidential matter in such circumstances, the auditor may perform other tests of controls pertaining to that control. For example, an auditor may observe the procedures for opening the mail and processing cash receipts to evaluate the operating effectiveness of controls over cash receipts. Because an observation is pertinent only at the point in time at which it is made, the auditor may supplement the observation with inquiries of entity personnel and inspection of documentation about the operation of such controls at other times during the audit period.
.101
In addition, when evaluating the degree of assurance provided by evidential matter, the auditor should consider the interrelationship of an entity's control environment, risk assessment, control activities, information and communication, and monitoring. Although an individual internal control component may affect the nature, timing, or extent of substantive tests for a specific financial statement assertion, the auditor should consider the evidential matter about an individual component in relation to the evidential matter about the other components in assessing control risk for a specific assertion.
.102
Generally, when various types of evidential matter support the same conclusion about the design or operation of a control, the degree of assurance provided increases. Conversely, if various types of evidential matter lead to different conclusions about the design or operation of a control, the assurance provided decreases. For example, based on the evidential matter that the control environment is effective, the auditor may have reduced the number of locations at which auditing procedures will be performed. If, however, when evaluating specific control activities, the auditor obtains evidential matter that such activities are ineffective, he or she may re-evaluate his or her conclusion about the control environment and, among other things, decide to perform auditing procedures at additional locations.
.103
Similarly, evidential matter indicating that the control environment is ineffective may adversely affect an otherwise effective control for a particular assertion. For example, a control environment that is likely to permit unauthorized changes in a computer program may reduce the assurance provided by evidential matter obtained from evaluating the effectiveness of the program at a particular point in time. In such circumstances, the auditor may decide to obtain additional evidential matter about the design and operation of that program during the audit period. For example, the auditor might obtain and control a copy of the program and use computer-assisted audit techniques to compare that copy with the program that the entity uses to process data.
.104
An audit of financial statements is a cumulative process; as the auditor assesses control risk, the information obtained may cause him or her to modify the nature, timing, or extent of the other planned tests of controls for assessing control risk. In addition, information may come to the auditor's attention as a result of performing substantive tests or from other sources during the audit that differs significantly from the information on which his or her planned tests of controls for assessing control risk were based. For example, the extent of misstatements that the auditor detects by performing substantive tests may alter his or her judgment about the assessed level of control risk. In such circumstances, the auditor may need to re-evaluate the planned substantive procedures, based on a revised consideration of the assessed level of control risk for all or some of the financial statement assertions.
Correlation of Control Risk With Detection Risk
.105
The ultimate purpose of assessing control risk is to contribute to the auditor's evaluation of the risk that material misstatements exist in the financial statements. The process of assessing control risk (together with assessing inherent risk) provides evidential matter about the risk that such misstatements may exist in the financial statements. The auditor uses this evidential matter as part of the reasonable basis for an opinion referred to in the third standard of field work, which follows:
Sufficient competent evidential matter is to be obtained through inspection, observation, inquiries, and confirmations to afford a reasonable basis for an opinion regarding the financial statements under audit.
.106
After considering the level to which he or she seeks to restrict the risk of a material misstatement in the financial statements and the assessed levels of inherent risk and control risk, the auditor performs substantive tests to restrict detection risk to an acceptable level. As the assessed level of control risk decreases, the acceptable level of detection risk increases. Accordingly, the auditor may alter the nature, timing, and extent of the substantive tests performed.
.107
For audits of fiscal years ending before November 15, 2004, for accelerated filers, and before July 15, 2005, for all other issuers, click here.]
Although the inverse relationship between control risk and detection risk may permit the auditor to change the nature or the timing of substantive tests or limit their extent, ordinarily the assessed level of control risk cannot be sufficiently low to eliminate the need to perform any substantive tests to restrict detection risk for all of the assertions relevant to significant account balances or transaction classes. Consequently, regardless of the assessed level of control risk, the auditor should perform substantive procedures for all relevant assertions related to all significant accounts and disclosures in the financial statements.
.108
The substantive tests that the auditor performs consist of tests of details of transactions and balances, and analytical procedures. In assessing control risk, the auditor also may use tests of details of transactions as tests of controls. The objective of tests of details of transactions performed as substantive tests is to detect material misstatements in the financial statements. The objective of tests of details of transactions performed as tests of controls is to evaluate whether a control operated effectively. Although these objectives are different, both may be accomplished concurrently through performance of a test of details on the same transaction. The auditor should recognize, however, that careful consideration should be given to the design and evaluation of such tests to ensure that both objectives will be accomplished.
Effective Date
.109
This amendment is effective for audits of financial statements for periods beginning on or after June 1, 2001. Earlier application is permissible.
Appendix
.110
Footnotes (AU Section 319 — Consideration of Internal Control in a Financial Statement Audit):
fn * This section has been revised to reflect the amendments and conforming changes necessary due to the issuance of Statement on Auditing Standards No. 78, effective for audits of financial statements for periods beginning on or after January 1, 1997. The amendments are made to recognize the definition and description of internal control contained in Internal Control—Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO Report). This section has also been amended to reflect the issuance of Statement on Auditing Standards No. 94, effective for audits of financial statements for periods beginning on or after June 1, 2001. Earlier application is permissible.
fn 1 Internal control also may be referred to as internal control structure.
fn 2 Information technology (IT) encompasses automated means of originating, processing, storing, and communicating information, and includes recording devices, communication systems, computer systems (including hardware and software components and data), and other electronic devices. An entity's use of IT may be extensive; however, the auditor is primarily interested in the entity's use of IT to initiate, record, process, and report transactions or other financial data.
fn 3 Control risk may be assessed in quantitative terms, such as percentages, or in nonquantitative terms that range, for example, from a maximum to a minimum. The term maximum level is used in this section to mean the greatest probability that a material misstatement that could occur in a financial statement assertion will not be prevented or detected on a timely basis by an entity’s internal control.
fn 4 If the auditor is unable to obtain such evidential matter, he or she should consider the guidance in section 326, Evidential Matter, paragraphs .14 and .25.
fn 5 The term comprehensive basis of accounting other than generally accepted accounting principles is defined in section 623, Special Reports, paragraph .04. Hereafter, reference to generally accepted accounting principles in this section includes, where applicable, an other comprehensive basis of accounting.
fn 6 An auditor may need to consider controls relevant to compliance objectives when performing an audit in accordance with section 801, Compliance Auditing Considerations in Audits of Governmental Entities and Recipients of Governmental Financial Assistance.
fn 7 See section 324, Service Organizations, for guidance if an entity obtains services that are part of its information system from another organization.
fn 8 Paragraph 12 of the appendix [paragraph .110] defines initiation, recording, processing, and reporting as used throughout this section.
fn 9 See section 311, Planning and Supervision, paragraph .10.
fn 10 These assertions are discussed in section 326.
fn 11 For purposes of this section, a material misstatement in a financial statement assertion is a misstatement whether caused by error or fraud as discussed in section 312, Audit Risk and Materiality in Conducting an Audit, that either individually or when aggregated with other misstatements in other assertions would be material to the financial statements taken as a whole.
fn 12 See footnote 3.
fn 13 See footnote 4.
fn 14 Section 324 describes reports that an auditor may obtain that may assist in identifying controls relevant to specific assertions and obtaining evidential matter regarding their operating effectiveness when an entity uses a service organization.
fn 15 See also section 326 for guidance on evidential matter.