|
Brow Location: United States\PwC Material\Montgomery's Auditing, Twelfth Edition\Part 2: Theory and Concepts |
茅理翔 Publish Date: 25 June, 2001 | |
| |
窗体顶部马铃薯炖肉
窗体底部
10
Understanding Entity-Level Controls
10.1 Developing the Understanding |
(a) Control Environment, (i) Integrity and Ethical Values, (ii) Commitment to Competence, (iii) Composition and Activities of the Board of Directors and Committees, (iv) Management's Philosophy and Operating Style, (v) Organizational Structure, (vi) Assignment of Authority and Responsibility, (vii) Human Resource Policies and Practices, (b) Management's Risk Asssment, (c) Monitoring, (d) Information and Communication, (i) The Accounting System, (ii) The Computer Environment, (1) Hardware, (2) Software, (3) Databa Management Systems, (3A) Data Warehou Applications二次元污污 (4) Organization of the IT Function, (5) Decentralized and Distributed Data Processing, (iii) Understanding the Accounting System and the Computer Environment, |
10.2 Evaluating Design Effectiveness |
10.3 Application to Small and Mid-sized Entities |
10.4 Documenting the Understanding and Evaluation of Design | 五常是什么意思
|
Controls that are relevant to financial reporting are applied at various levels in an entity. Controls in some components, such as the control environment, operate at a high level within an entity and thus have an impact on many or all account balances. Other controls are applied at successively lower levels and relate to increasingly more detailed process and activities. Some of tho controls are applied to a cycle or an entire class of transactions in a cycle, and have an effect on the account balances derived from related transactions. Others, specifically control activities, operate at even lower, more detailed levels and tend to be focud on individual applications within transaction cycles and to affect specific account balances and audit objectives. The latter controls are most relevant when the auditor plans to asss control risk at low. Understanding the entity-level aspects of internal control is discusd in this chapter, and understanding control activities and aspects of monitoring that relate to a cycle or transactions in a cycle in Chapter 11 (e Section 11.3, Developing the Understanding). Chapter 12 covers asssing control risk and testing controls, at all levels, to confirm the asssment (e Section 12.5, Documenting the Asssment of Control Risk and Tests of Controls).
Figure 10.1 depicts the process by which the auditor obtains an understanding of internal control and asss control risk. The flowchart shows the various decisions the auditor makes and their conquences for the audit strategy. The steps in the flowchart are explained in the following ctions of this chapter and in Chapters 11 and 12.
Figure 10.1 Understanding Internal Control and Its Audit Implications
Understand Entity-Level Control Components:
1. Control Environment
2. Management's Risk Asssment
3. Information and Communication
4. Monitoringa
Understand Accounting System and Computer Environment
Evaluate Effectiveness of Design
Make Preliminary Asssment of Control Risk
Maximum control risk | 西葫芦的做法大全Below the maximum control risk | Low control risk |
No further understanding needed | Obtain understanding of activity-level monitoring controls; evaluate effectiveness of design | Obtain understanding of control activities; evaluate 联想进入bioseffectiveness of design |
No tests of controls performed | Test entity-level controls and activity-level monitoring controls to confirm asssmentb | Test entity-level controls and control activities to confirm asssmentb |
Design substantive tests to gain high assurance | Design substantive tests to gain moderate assurance | Design substantive tests to gain low assurance |
回形针体位 | | |
a Includes performance reviews, which are classified as control activities in SAS No. 78. See footnote 2 in Chapter 11.
b On recurring engagements, certain tests of controls may be performed at the same time as updating the understanding, bad on the planned asssment of control risk.
10.1 Developing the Understanding
The cond standard of field work specifically requires the auditor to obtain a sufficient understanding of the entity's internal control for planning purpos. A sufficient understanding of internal control is one that when considered together with other information about the entity, such as that from prior years' experience, enables the auditor to evaluate whether controls are effectively designed, identify misstatements that could occur becau of any design deficiencies, consider the risk of such misstatements occurring, and design appropriate substantive tests to detect them. Statement on Auditing
Standards (SAS) No. 78, Consideration of Internal Control in a Financial Statement Audit: An Amendment of SAS No. 55 (AU Section 319), points out that while internal control is relevant to both the entity as a whole and its individual operating units or business functions, it may not be necessary for the auditor to obtain an understanding of internal control related to each of the entity's operating units or business functions. An audit guide to the SAS, Consideration of Internal Control in a Financial Statement Audit, issued by the AICPA's Control Risk Audit Guide Revision Task Force illustrates how auditors might apply the provisions of the SAS in determining an audit strategy that might be ud for entities of various sizes, including obtaining the necessary understanding of internal control.
Meeting the cond standard of field work requires the auditor to develop an understanding of relevant controls in the various components, regardless of the planned control risk asssment. It may not be necessary for the auditor to understand control activities when control risk is assd at maximum or below the maximum, becau in tho circumstances no tests of control activities will be performed. The auditor should, h
幼儿唐诗100首
owever, consider whether an understanding of any specific control activities is necessary in order to design substantive tests.
In developing the understanding of internal control, the auditor determines the design of relevant controls, that is, how they are suppod to operate, and whether they have been placed in operation, that is, whether the entity is actually using them. The auditor's objective in understanding controls is not to obtain evidence about whether they are operating effectively; evidence about the effective operation of controls is obtained by testing the controls, which is discusd in Chapter 12 (e Section 12.3, Performing Tests of Controls). Often, however, the auditor obtains some evidence about operating effectiveness as a result of performing procedures aimed at developing the understanding, becau tho procedures are similar to procedures ud in testing controls. The auditor considers that evidence when determining the tests of controls to perform in order to be able to restrict substantive tests directed at certain audit objectives and account balances.
The understanding of internal control required for audit planning (that is, for identifying and reacting to the risk of material misstatements) is obtained by considering previous experience with the entity, reviewing prior-year audit results, making inquiries of entity personnel and obrving them in the performance of their duties, and examining descriptions of procedures and other appropriate documentation prepared by the entity's personnel. As explained in Chapter 6, obrvation involves direct viewing of employees in the work environment. Inquiry (interviewing) entails asking specific questions of the entity's management and employees, which may be done informally or in formal interviews. Interviewing is one of the most effective ways to gain an initial understanding of the entity's internal control. The auditor examines records (either manual or electronic), documents, reconciliations, and reports for evidence that a procedure has been properly applied. The specific procedures the auditor performs to obtain the necessary understanding of internal control, and the extent to which they are performed on a particular audit, vary according to the entity's size and complexity, the auditor's previous experience with the entity, the particular control, and the entity's documentation.