Название | Wiley Practitioner's Guide to GAAS 2020 |
---|---|
Автор произведения | Joanne M. Flood |
Жанр | Бухучет, налогообложение, аудит |
Серия | |
Издательство | Бухучет, налогообложение, аудит |
Год выпуска | 0 |
isbn | 9781119596035 |
2 Nature of the client, which includes its operations, its ownership, governance, the types of investments it makes and plans to make, how it is financed, and how it is structured.
3 Accounting policies, including the entity’s selection and application of accounting policies, the reasons for any changes, and whether the entity’s accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry.
4 Objectives and strategies and related business risks, which may result in material misstatement of the financial statements taken as a whole or as individual assertions.
5 Measurement and review of the client’s financial performance, which tell the auditor which aspects of the client’s performance management considers important.
(AU-C 315.12)
NOTE: The purpose of understanding the entity and its environment is to help identify and assess risk. For example:
Information about the client’s industry may allow the auditor to identify characteristics of the industry that could give rise to specific misstatements.
Information about the ownership of the client, how it is structured, and other elements of its nature will help identify related-party transactions that, if not properly accounted for and adequately disclosed, could lead to a material misstatement.
The auditor’s identification and understanding of the business risks facing the entity increase the chance of identifying financial reporting risks.
Information about the performance measures used by the entity may lead the auditor to identify pressures or incentives that could motivate entity personnel to misstate the financial statements.
Information about the design and implementation of internal control may identify deficiencies in control design, which increase the risk of material misstatement.
NOTE: Obtaining an understanding of the entity and its environment also allows the auditor to make judgments about other audit matters, such as:
Materiality
Whether the entity’s selection and application of accounting policies are appropriate and financial statement disclosures are adequate
Areas where special audit consideration may be necessary—for example, related-party transactions
The expectation of recorded amounts used for performing analytical procedures
The evaluation of audit evidence
Understanding the Entity’s Internal Control
On every audit, the auditor should obtain an understanding of internal control that is of sufficient depth to enable the auditor to:
Assess the risks of material misstatement of the financial statements, whether due to error or to fraud.
Design the nature, timing, and extent of further audit procedures.
To meet these requirements, the auditor should:
Evaluate the design of controls that are relevant to the audit and determine whether the control—either individually or in combination—is capable of effectively preventing or detecting and correcting material misstatements.
Determine that the control has been implemented—that is, that the control exists and that the entity is using it.
(AU-C 315.13–.14)
The auditor’s evaluation of internal control design and the determination of whether controls have been implemented are critical to the assessment of the risks of material misstatement. Remember that even if the auditor’s overall audit strategy contemplates performing only substantive procedures for all relevant assertions related to material transactions, account balances, and disclosures, the auditor still needs to evaluate the design of the client’s internal control.
NOTE: In evaluating control design, it is helpful to consider:
Whether control objectives that are specific to the unique circumstances of the client have been considered for all relevant assertions for all significant accounts and disclosures
Whether the control or combination of controls would—if operated as designed—meet the control objective
Whether all controls necessary to meet the control objective are in place
NOTE: To evaluate the design and implementation of internal controls relevant to the audit, the auditor should perform procedures such as:
Inquiry
Observation
Inspection of documentation
Walk-throughs—tracing transactions through the information systems
When obtaining an understanding about the design of internal controls and determining whether those controls have been implemented, inquiry alone is not sufficient. Thus, for these purposes, the auditor should supplement inquiries with other risk assessment procedures. (AU-C 315.14)
(AU-C 315.A76)
Distinguishing between Evaluation of Design and Tests of Controls
Obtaining an understanding of the design and implementation of internal controls is different from testing their operating effectiveness.
Understanding the design and implementation is required on every audit as part of the process of assessing the risks of material misstatement.
Testing the operating effectiveness is necessary only when the auditor will rely on the operating effectiveness of controls to modify the nature, timing, and extent of substantive procedures or when substantive procedures alone do not provide the auditor with sufficient audit evidence at the assertion level.
The procedures necessary to understand the design and implementation of controls do provide some limited evidence regarding the operation of the controls. However, the procedures necessary to understand the design and implementation of controls generally are not sufficient to serve as a test of their operating effectiveness for the purpose of placing significant reliance on their operation.
Examples of situations where the procedures the auditor performs to understand the design and implementation of controls may provide sufficient audit evidence about their operating effectiveness include:
Controls that are automated to the degree that they can be performed consistently provided that general information technology (IT) controls over those automated controls operate effectively during the period.
Controls that operate only at a point in time rather than continuously throughout the period. For example, if the client performs an annual physical inventory count, the auditor’s observation of that count and other procedures to evaluate its design and implementation provide audit evidence that may affect the design of the auditor’s substantive procedures.
The Five Components of Internal Control
The required understanding of internal control must include all five components of internal control:
1 The control environment,
2 The entity’s risk assessment process,
3 The information system, including processes