The primary responsibility of auditors during the old times was to detect errors including employee and management fraud and particular illegal acts. This responsibility still applies in the modern audit but it's not the primary objective of a modern auditor. The primary objective of a modern auditor now is to express an opinion on the true and fair view of the financial statements of a company. Internal controls are really important for the planning of an audit strategy and therefore their correctness and validity it's really crucial for auditors to rely on them and make their planning effective. Planning it's a very important part in auditing because a bad planning means a high possibility of bad result.
Auditing it's divided in four phases, accepting the audit engagement, planning, performing audit procedures and reports the findings. In the first phase the auditor take on professional responsibilities to the client and to the public by accepting an engagement letter from a client. After that an auditor has to make its planning and here is when the internal controls significance is important. Planning is crucial to a successful engagement because it enables auditors to meet their professional responsibilities and the objective of the auditor in planning, is to plan the audit so that it will be performed in an effective manner. Stages of planning include risk assessment procedures, testing of controls and substantive testing. All these stages are relied on internal controls.
Internal controls are designed in order to have reasonable assurance that the entity's financial statements are presented fairly according with the basis of accounting chosen by the management. They are designed to prevent, detect and correct errors that would cause the financial statements to be wrong. Evaluation and testing of internal controls has to be made in order to ensure that the internal controls are working as they designed. Parts of the evaluation process are, to obtain an understanding of the internal control structure, make sure that the objectives had worked effectively as designed and examine the elements that assured that the internal control objectives would be met. Testing includes compliance testing with a combination of substantive testing.
In the evaluation process auditors have to make sure that the recorded transactions, are the ones should have been recorded(validity), transactions are not omitted from the accounting records(completeness), transactions are approved before they are recorded (authorisation), transactions are properly valued, classified and recorded in the proper time period(valuation, classification, timing) and the last one is to ensure that transactions were properly included in the records and summarised correctly.(posting and summarisation). Auditors should also obtain and document an understanding of the accounting system and mainly the control environment in order to see whether the objectives of internal control were effectively operated.
An understanding of the control environment enables the auditors to evaluate the effectiveness of control procedures. A strong control environment with an effective internal audit and strong budgetary controls increases the effectiveness of control procedures and gives important knowledge to the auditors like, any potential misstatements in the financial statements', considering factors that affect the risk of material misstatement and design planned substantive tests. Control environment is the foundation for all other components of the internal control structure. Auditors should also obtain an understanding of the accounting system to enable them understand and identify: any major classes of transactions in the entity's operations, how these transactions are initiated, significant accounting records supporting accounts and documents in the financial statements and the financial reporting process used in order to prepare the financial statements.
After obtaining an understanding of the accounting system and control environment they expect to be able to rely on their assessment of control risk to reduce their substantive procedures and they can do it by make a preliminary assessment of the control risk for any material information included in the financial statements' and then plan and perform tests of control to support their assessment. Materiality is the information which matters for our decisions, and is used to distinguish misstatements of audit significance from those that are not. The full definition of audit risk we will see later refers to the risk of material misstatements. Assessment of control risk is conducted in two phases the effectiveness of the design of internal control and the effectiveness of its operation.
Risk assessment is the identification and analysis of relevant risks to achievement of the objectives we said before in order to see how the risks should be managed. Risk assessment will help us find the total audit risk which is AR=IR+CR+DR in order to consider risks and go the next stage in planning, which is to develop strategies for the significance of assertions. IR is the inherent risk which is the possibility that a misstatement could occur from the beginning as soon as accepting the engagement, inherent risk exists independently of the audit of financial statements therefore auditors cannot change the level of this risk. CR is the control risk and generally is the risk that a misstatement will not prevented or detected by an entity's internal control. It's based on internal controls and therefore effective internal controls reduce control risk. Auditors cannot change the level of this risk but they can influence it by recommending improvements in internal controls. Finally this risk can never be zero because sometimes controls may be ineffective due to human failure by carelessness. Auditors are unable to control inherent and control risk but they can evaluate these risks and design substantive procedures to produce an appropriate level of detection risk which is DR in order to reduce audit risk to an acceptable level. Audit risk is the risk that financial statements are wrong and auditors have failed to detect any misstatements resulting in a wrong opinion on the financial statements. This risk has to be as low as possible if auditors want to express a correct opinion.
Information and communication is another component of internal control structure which supports internal control by conveying directives from the managers to employees in a form that allow them to perform their control activities effectively. The last component of internal control is monitoring which is a process to evaluate the quality of internal control over time through special evaluations, thus this is an important component to see whether controls were operated as intended. Evaluating the components of ICS is very crucial for auditors because these components are established and maintained by the management, thus they have to make sure that everything was operated as designed, and then assess the control risk in order make strategies of testing the controls.
After the evaluation process auditors have to do some testing of controls from the key factors they identified in each component of the internal control structure. Test of controls are designed to verify that control procedures are actually operating as laid down. Auditors have to test the key factors they distinguished before in each component in order to see if the system really works. Testing of controls is made by compliance procedures which is the test an auditor conducts in order to ensure that the companies procedures and mechanisms has been applied as intended by the management, and they have to provide audit evidence for the results. Compliance usually covers financial controls, technology systems and operational risks. Substantive procedures are the procedures that substantiate the amounts recorded in the financial statements in order to provide audit evidence for the completeness accuracy and validity of financial statements. They are more costly to perform and need more time than compliance procedures. Therefore reliable and effective internal controls save time and money because auditors do less substantive tests .Both tests are important therefore auditors usually plan the audit by the combination of control and substantive procedures as based on the preliminary assessment. The lower the level of control risk we found in the preliminary assessment the lower the planned level of substantive procedures. If the tests show that controls are not working as they planned then auditors have to reconsider their strategy and increase the level of use of substantive procedures.
C:\Users\Kostas\Desktop\Untitled.png
As we can see from the graph there are three parts, evaluation, compliance testing and substantive testing. In the right part of the graph the 95% means that 95% of the companies being audit are in that part of the graph which is very good. This is the perfect part in the graph because control risk is very low meaning that internal controls are strong and reliable. On the bottom left of the graph we can see that the control risk is high therefore internal controls are weak which means more substantive testing will be needed therefore more time and effort will be needed from auditors due to the bad management occurred. High C.R is not good for shareholders, neither for auditors neither for the management of the company. Shareholders have to pay more money to the auditors for the substantive procedures and auditors will spend more time and effort in the company meaning that in the end the cost of this procedure will be higher than the benefit they will gain from the procedures. Evaluation and testing is the total evidence auditors have in order to assume that accounts are true and fair.
Thus evaluation and testing is the most important part in modern audit because it's crucial in helping the auditor in order to achieve its goals and to have an opinion on the true and fair view of the financial statements. If the auditor wants to be considered professional and achieve his main objective which is to express an independent opinion on the financial statements, then he has to check deeply the company and specifically internal controls in order to have a good planning on reliable information. If auditors don't evaluate and test the internal controls, it means that they are not doing their work properly because they rely on the work of the management and this can be very risky and wrong if they really want to have a correct professional analysis.
References:
1)Audit and Management Advisory Services. (2009). Internal Control-Integrated Framework. Available: http://amas.syr.edu/AMAS/display.cfm?content_ID=%23((%25)%0A. Last accessed 1st March 2013.
2)Anne Burke. (). Audit Planning. Available: http://www.cpaireland.ie/UserFiles/File/students/2010%20Examinations/Exam%20Related%20Articles/2010%20P1%20Auditing%20CPA%20Introduction%20to%20Audit%20Planning.pdf. Last accessed 1 March 2013.
3) Lembi Noorve. (2006). Evaluation of the effectiveness of the internal control over financial reporting . Available: http://dspace.utlib.ee/dspace/bitstream/handle/10062/1315/noorveelembi.pdf. Last accessed 1 March 2013.
4) Thomas A. ,Ratcliffe, CPA, Charles E.. (2009). Understanding Internal Control and Internal Control Services.Available: http://media.journalofaccountancy.com/JOA/Issues/2009/09/Understanding_Internal_Control_Services_2.pdf. Last accessed 1 March 2013.
5) Jack W. Paul. (2005). Audits of internal Control. Available: http://www.nysscpa.org/cpajournal/2005/505/essentials/p22.htm. Last accessed 1 March 2013.
6)http://www.google.co.uk/url?sa=t&rct=j&q=why%20internal%20controls%20are%20important%20for%20auditors&source=web&cd=14&cad=rja&ved=0CEwQFjADOAo&url=http%3A%2F%2Fccba.jsu.edu%2Fccba%2Ffaculty%2FfacultyFiles%2Fjzanzig_Auditing%2520Ch%252010%2520Lecture.ppt&ei=T3UbUZehL9K20QXRh4CwCw&usg=AFQjCNF1gsfR5bBla75KjoMetGfkYlCB-w&bvm=bv.42261806,d.d2k
7) Bruce Mayer, Peg Nolan, Steve Wolfe. (2012). Internal Control.Available: http://www.cooperativegrocer.coop/articles/2012-04-09/accounting-best-practices-internal-control. Last accessed 1 March 2013.
8) Daniel Draz. (2011). Fraud Prevention Improving internal Controls.Available: http://www.csoonline.com/article/678375/fraud-prevention-improving-internal-controls-. Last accessed 1 March 2013.
