There is often a misconception amongst auditors that if the auditor does not propose to rely on internal controls there is no need to obtain an understanding of controls, or to document specific elements of internal controls. This is however not true as auditing standards require that there must be some review of the internal controls on every audit, (even when the auditor performs a small audit). In order to demonstrate compliance with auditing standards the auditor needs a basic understanding of the company and its method of operation to prepare an effective substantive, detailed audit plan.
The purpose of this course is to take delegates through the audit process and to discuss in detail every requirement that is listed in the auditing standards that relates to internal controls.
This course offers a comprehensive review of the auditors obligation toward internal controls, from the requirements listed in the international standards on auditing through to the real-world issues faced during external audits. Furthermore this course will cover the documentation requirements relating to an audit engagement, including the elements to be included in the working papers.
After this course, delegates should understand that auditors always have a responsibility towards internal control, whether or not tests of controls will be performed. They should however understand exactly what is included in this responsibility, and that it does not include implementing or documenting system descriptions, but that this is managements responsibility.
Delegates should understand when a control is relevant to the audit and exactly what needs to be done for this control and how it should be documented.
If reliance will be placed on controls, delegates should understand how to design tests of controls and how to determine sample sizes for these tests.
Lastly, delegates should understand their reporting duties, both to those charged with governance and to the users of the financial statements in terms of the revised reporting standards.
What is internal control and why do we implement it
Responsibility for internal controls
o Whose responsibility is it to implement internal controls?
o What is the reason for implementing internal controls?
What is the auditors responsibility towards internal controls?
o How do we address this responsibility in the engagement letter?
o Is it the auditors responsibility to document system descriptions or the clients?
o What is the auditors responsibility towards reporting deficiencies and significant deficiencies to management and those in charge of governance?
The auditor shall obtain an understanding of internal controls relevant to the audit.
o What constitutes internal control relevant to the audit?
o To what extent do the controls relevant to the audit have to be understood?
o What should the auditor document when obtaining an understanding of the clients internal control?
The auditor shall include in the audit documentation key elements of the understanding obtained regarding each of the internal control components
o What are these key elements that must be documented by the auditor and what impact will this have on the rest of the audit process especially in the smaller company environment?
What effect will this assessments of the key elements have on the determination of the risk of Material misstatement (ROMM)
The auditor shall evaluate the design of those controls and determine whether they have been implemented.
o What exactly does this mean and to what extent shall the auditor perform procedures to determine whether or not the controls have been implemented? Is this the same as a walk-through test?
o What is the next step if the auditor determines that the controls are capable of effectively preventing, detecting and correcting material misstatements?
o What if the answer to the above is no?
The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls.
o What is the meaning of control activities?
o When should the auditor perform tests of controls on control activities?
o What exactly does the following excerpt from the standards mean? Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.
o What factors should the auditor consider in determining whether to perform tests of controls?
o To what extent do the controls relevant to the audit have to be tested?
o Should the auditor provide reasons for deciding not to test internal controls?
o What are the different methods available to the auditor to test the effectiveness of internal controls?
o When can the auditor rely on the so-called 3 year rule?
Sampling techniques
o What sampling techniques are available to the auditor?
o Statistical vs non statistical. Which one is better?
o How to design the sample including what should the sample size be, selection methods etc.
o What must be documented in the sampling working papers?
o Deviations and misstatements. How to interpret sampling results?
o Projection of misstatements.
o How to evaluate the results and conclude on a sample.
The auditors obligation to report deficiencies in controls to management and those charged with governance.
o What is the difference between deficiencies in internal controls and significant deficiencies in internal controls
o When and how should this be reported?
How will deficiencies impact on the auditors report in terms of the new reporting standards?
What is a KAM and when will this be reported.
This session will be presented on an intermediate level and all employees within an engagement team, regardless of their level will benefit.