CHAPTER 6

Risk Assessment and Tests of Internal Controls

In this chapter we focus on and address the following issues:

• Techniques and guidelines for assessing technological, economic, legal, and other forms of risk both in the United States and internationally
• Special focus on business risk and how the auditor can ascertain and determine substantive tests based on the level of risk
• How assessment of business risk varies between the United States (Public Company Accounting Oversight Board [PCAOB]) and abroad (International Standards on Auditing [ISA])

We then focus on an integrally related aspect, namely, internal controls over financial reporting, with special reference to:

• how auditors should assess internal controls over financial reporting;
• the significant differences, if any, between PCAOB and ISA guidance;
• lessons (if any) auditors should be aware of as a result of these differences.

Introduction

Both topics of risk assessment and tests of internal controls over financial reporting—the only type of internal controls addressed in this book— are intertwined. As mentioned, we first discuss risk assessment and then, based on risk assessment, discuss how the auditors conduct tests of internal controls. The internal control system is the organization’s system of checks and balances, a system consisting of review and oversight processes and tools to help ensure that errors or fraudulent entries are not made in the accounting system. The system can also help ensure that assets are not stolen as well. The focus throughout this chapter is oriented to the view point of the auditor in an audit setting.

Why does an auditor need to assess risk? The reason for assessing risk is to help prevent fraud and misstatements in the financial statements. When an auditor audits a company, their main objective is to provide reasonable assurance that the financial statements do not contain material mistakes. This will help ensure better future decisions by the company and its current and future investors and creditors. Understanding overall risk factors that may impact the client firm will help the auditor determine which auditing procedures should be used to test, among others, internal controls to mitigate the probability of fraud and material misstatement of the financial statements. Even apart from internal controls, understanding the overall risk a client firm faces will also help the audit firm assess any other potential sources of financial misstatements in the client’s financial statements. For example, some sorts of business risk may lead management to engage in financial statement fraud to help ensure that the firm’s financial statements show that the corporation is thriving. These behaviors may not be able to be corrected even by an otherwise excellent internal control system because client management stands atop the internal control system and can make fraudulent accounting entries that the internal control system cannot block because top management controls the internal control system. Accordingly, the auditor must audit both the financial accounting system and the accuracy of its entries and the internal control system that helps—but does not guarantee—the accuracy of its entries. Even apart from fraud, an auditor is required to develop an understanding of the various risks a company faces because doing so helps them appropriately allocate their audit team resources. Knowing, for example, that the technology that a client firm sells is changing rapidly alerts the auditor to obsolete items in the client’s merchandise inventory account.

Overall, unlike ISA, PCAOB Auditing Standard (AS) 5 specifically requires an integrated audit. In PCAOB AS 5 paragraph 6, it is noted that “the audit of internal control over financial reporting should be integrated with the audit of the financial statements.” Paragraph 6 continues, cautioning that the objectives of the audits are not identical. Therefore, it says, the auditor must plan and perform the work to achieve the objectives of both audits. The concept of an integrated audit means that in addition to auditing the financial statements, the auditor must assess whether the test of internal controls show that the internal controls can help ensure financial statements that are not materially misstated. This will be discussed in greater detail at the tail end of this chapter. The differences in overall philosophy between the standards setting bodies with respect to risk assessment and tests of internal controls over financial reporting are significant. We focus on risk and discuss guidelines for auditors assessing the various forms of business risk first and internal control risk second.

It is important to note here that the general methods that the auditor could use to evaluate the risk assessment process, the risk the client firm faces, and the design and operation of the internal control system include:

• inquiring of management and client firm personnel about the risk assessment and internal control processes;
• observing how the internal controls operate; and
• inspecting all documentation to gain evidence about the operation of the control system and reperformance.

Techniques and Guidelines for Assessing Technological, Economic, Legal, and Other Forms of Risk Both in the United States and Internationally

ISA 315 Identifying and Assessing Risks of Material Misstatement through Understanding the Entity and its Environment (the Auditing Standards Board [ASB] equivalent is Section 315 Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement) states that the auditor should obtain an understanding of the entity and its environment, including its internal control system. This understanding should be sufficient to identify and assess the risks of material misstatement of the financial statements (whether due to fraud or error). This understanding should also be sufficient to enable auditors to design and perform further audit procedures. The standard notes that obtaining an understanding of the entity and its environment, including its internal control, is a continuous dynamic process of gathering, updating, and analyzing information throughout the audit. Internal control is a vital element that affects the audit process. Everybody in the firm has responsibility for maintaining an adequate system of internal controls. This includes the company’s management, board of directors, and other personnel including, most importantly, the internal auditors. Internal auditors are auditors who are direct employees of the client firm itself. Mostly they do not perform financial statement audits. They can, however, be part of the monitoring component of the client’s internal controls. They may also evaluate the efficiency and effectiveness of operations, whether corporate policies are being complied with, and so forth.

A company establishes internal controls to achieve its performance goals. Internal controls help ensure that, in the process of attempting to attain those goals, the company has (1) a reliable financial reporting system and (2) is in compliance with relevant laws and regulations. We further discuss and elaborate on internal controls in the last part of this chapter. At this point, the main issue to be aware of is that ISA 315 states that the establishment of effective internal control comprises the following components from the point of view of the auditor. These include understanding the (refer paragraph 20 and onwards):

• industry and its environment;
• nature of the entity;
• objectives and strategies and related business risks; and
• measurement and review of the entity’s financial performance.

These are discussed individually.

Understanding the Industry and its Environment

According to ISA 315, the following are the key factors that an auditor should look at for the purpose of risk assessment (obtained from Appendix 1 of ISA 315, with the actual appendix providing greater detail than does our succinct summary):

Industry Conditions

• What is the nature of the market and competition?
• Is demand affected by cyclical and seasonal activity?
• What is the nature of the product technology relating to the company’s products? For example, is there a high probability of obsolescence due to the speed of technological development?

Regulatory Environment

• What are the industry specific practices?
• Is there legislation and regulation that could significantly affect the entity’s operations that the auditor should be aware of?
• What is the nature of corporate and other taxation for this entity?
• Are there any specific government policies that could affect the entity’s business? This includes determining if there are policies that have a positive impact (e.g., financial incentives) and policies that have a negative impact (tariffs and trade restrictions).
• Are there any special environmental regulations that could affect the company’s activities?

Other Key Issues

• What is the present general level of economic activity in the industry? (i.e., Is there currently a recession or is the economy in a growth phase?)
• What are the present rates and availability of financing?
• Is there inflation? If so, does it affect the company’s ability to expand? Does it harm the company in any way?

A sound illustration is also provided by Hayes et al. (2005). They note that the telecommunications industry has certain risks because it is globally competitive, is characterized by rapid technological changes that render its assets obsolete at a faster rate than assets in other industries and have laws strictly regulating service fee. These factors generate risks that may result in material misstatements of the financial statements of the companies in that industry. Auditors have to adjust their tests accordingly.

Nature of the Entity

The auditor should examine the following issues for the purpose of risk assessment as stated by ISA 315 in Appendix 1:

Business Operations

• What is the nature of revenue sources? (Is the company in manufacturing or in wholesale, import/export, financial services, etc?)
• Who are the major customers? What are the present profit margins? What is the existing market share? Who are the competitors?
• Is the company involved in any alliances, joint ventures and outsourcing activities?
• Is the company involved in any electronic commerce including Internet sales?
• Who are the important suppliers of goods and services? Is there stability of supply? What are the terms of payment and methods of delivery?

Investments

• Is the company planning to acquire another business or enter into a merger? Are there plans to dispose of part of its business segment?
• Are there investments in nonconsolidated entities, including partnerships, joint ventures, and special purpose entities?

  (This is important because companies like Enron used special purpose entities for the purpose of illegal off balance sheet financing, according to Schwarcz (2002)). Special purpose entities are a legal entity, usually a limited liability company or limited partnership of some type created to fulfill narrow, specific, or temporary objectives. The main purpose is to isolate the firm from financial risk (refer to International Financial Reporting Standards, IFRS 10).

Financing

• What is the debt structure of the firm? That is, how much debt is short term, needing to be paid back within one year of the balance sheet date, and how much may not have to be paid off for a longer time than that?
• What is the overall group structure? (Major subsidiaries and associated entities if any)
• Are there any related party transactions?
• Does the company use derivative financial instruments in any way? (Derivatives are financial instruments that derive their value in response to changes in interest rates and among others, commodity prices and foreign exchange rates, summarized from the Standard Chartered Bank, Annual Report 2010, p. 56).

Financial Reporting

• What are the industry specific practices for this entity?
• What revenue recognition practices are used?
• Where are the entity’s locations and what are the related quantities of the entity’s reported inventories?
• Are there any foreign currency transactions? If so, what are the foreign currency assets and liabilities?
• Are there any unusual or complex transactions? (Examples of unusual transactions include emerging areas or areas where the law is not resolved, for example accounting for stock based compensation).

ISA 315 notes that all of the issues mentioned in the preceding list have an impact on the risk of a business which, in turn, affects the financial statements. We define business risk as any risk that could potentially affect the financial statements. For example, the possibility of a company’s investment losing its value is an example of business risk. This is because, if investments significantly reduce in value, then it could have an adverse effect on the financial statements, which in turn could potentially create incentives to fraudulently misstate the financial statements.

Financing or finance structure is important in determining business risk. For example, a business could create special purpose entities for the purpose of off balance sheet financing as did Enron. This is not fraud and is legal. However, this could affect business risk because the existence of special purpose entities could create incentives for managers to use it as a device to illegally engage in earnings management. Enron, for example, according to Matthew Benjamin in the U.S. News and World Report (April 8, 2002), overstated profits in1999 by $250 million through the use of special purpose entities. Enron also engaged in related party transactions to double reported earnings in 2000. In the presence of material misstatement, information on debt structure, off balance sheet financing, and related parties can give auditors an insight into the extent of risk of material misstatement. While the PCAOB conforms almost entirely to the ISA with respect to the issues discussed in this paragraph, there are minor differences.

Overall Objectives Strategies and Related Business Risks

According to ISA 315 Appendix 1, examples of issues and matters that the auditor could consider are the following:

• Does the entity have the personnel or expertise to deal with changes in the industry?
• Has the company introduced new products and services? (If so, is there increased product liability?)
• Are there new accounting requirements that the company is required to follow? (Risks could include improper implementation or hidden costs in doing so.)
• Are there regulatory requirements that may increase legal exposure?
• Has the company introduced new information technology (IT)? (A risk here may be that the company’s systems and processes may be incompatible or internal controls not implemented.)

All these create pressures on management. Similarly, if there are regulatory requirements that increase legal exposure this also increases business risks. Most business risks eventually have a financial consequence and will find their way into financial statements. Hence, based on the questions in the preceding section, if the auditor feels that business risks are accentuated, then they may have to adjust audit tests accordingly. The differences between ISA and PCAOB would appear to relate only to placement of information. For example, in relation to the guidance discussed above, ISA discusses these issues in ISA 500, whereas in the U.S. the PCAOB discusses the requirements in AS 5. The only difference is placement which does not create a difference between the ISAs as a whole and PCAOB as a whole as the AICPA notes (www.aicpa.org/FRC).

Measurement and Review of the Entity’s Financial Performance

Based on Appendix 1 of ISA 315, examples of matters that an auditor could consider for the purpose of risk assessment are the following:

• What are the key ratios and performance indicators that should be used when analyzing the business? What information do these performance indicators tell us?
• What do forecasts and variance analysis reports from budgets tell us?
• What do analyst reports and credit ratings reports tell us?
• What information does period to period comparative analysis (revenue growth/decline, profitability increase/decline, etc) tell us?

Information such as variance analysis based on budgets, and other performance level reports and comparisons of an entity’s performance with competitors give the auditor insight into risks. Significant deviations or variations from budgets (e.g., variations of actual sales results from the budgeted expectation for sales) and significant variations from competitors’ reported results may indicate a risk of misstatement of financial information. This is important to the auditor in deciding on audit tests. There are minor differences between the ISA and the PCAOB. Whereas the ISA uses the word significant (e.g., significant deviations from budget, etc), the PCAOB’s AS 5 uses words such as relevant and material. The AICPA (www.aicpa.org/FRC) believes that this should not create any difference between the application of ISA 330 and the PCAOB’s AS 5. However, there is one significant difference. AS 5 specifically addresses the question whether the person performing the control in the client entity possesses the necessary authority and competence to perform the controls discussed here. Under AS 5 of the PCAOB, the auditor has to check the authority and competence of the person performing the different controls. The ISA does not have this.

Now we turn the discussion to internal control tools an organization uses to control risks and the auditor’s assessment of the entity’s use of those tools. External risks to the entity, such as risks stemming from the nature of its environment, may not be controllable by the entity. Other risks to it, such as those stemming from employee theft and the like, are potentially controllable by it. Both are addressed in the following sections.

Review of Internal Controls

At the outset, we must note the guidance on internal control provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the latest version of which was published in 2013. The COSO 2013 Internal Control-Integrated Framework provides additional guidance to organizations. This was felt necessary in the light of changes in the business and operating environments since the original COSO came into effect. The new framework, according to COSO. broadens the application of internal controls in addressing operations and reporting objectives. COSO has also discussed tools for assessing the effectiveness of a system of internal control. We do not delve into this area because that is not the purpose of this book. Rather, we recommend interested readers to check this website for more details: http://www.coso.org/ic.htm.

We now focus on the guidance provided by the ISA with respect to internal controls. ISA 315 states that internal control comprises five interrelated components (based on Appendix 2 of ISA 315):

• The control environment
• The entity’s risk assessment process
• The information system, including the related business processes relevant to financial reporting and communication
• Control procedures/activities; and
• Monitoring of controls

These will be discussed individually. A detailed explanation is provided in Appendix 2 of ISA 315.

Control Environment

According to ISA 315 the control environment includes the attitudes, awareness, and actions of management and those charged with governance concerning the entity’s internal control and its importance in the entity. According to ISA 315, the control environment encompasses the following elements (refer Appendix 2 of ISA 315):

Communication and Enforcement of Integrity and Ethical Values

If the people administering controls have low integrity and ethical values, the controls cannot be considered to be effective. The controls are only as good as the people who are responsible for administering them. This is the reason that this standard includes integrity and ethical values as essential elements of the control environment. Auditors must check if managers have incentives or temptations to engage in dishonest, illegal, or unethical acts.

Commitment to Competence

Competence is defined as the knowledge and skills necessary to accomplish tasks that define the individual’s job. Auditors should check the qualifications and experience of those working in the organization.

Participation by Those Charged With Governance

Those charged with governance should be independent of the management. Auditors should ensure that companies have codes of practice/conduct and other regulations or guidance for those in charge of governance.

Management's Philosophy and Operating Style

These encompass a broad range of characteristics. The auditor can develop an understanding of the management’s philosophy and operating style from the managements’ attitude in dealing with the auditor. For example if the management is aggressive with respect to selecting accounting principles and it argues with auditors regarding management’s choice of accounting principles, then this should send a warning signal to the auditors.

Organizational Structure

Auditors should study the organizational structure including key areas of authority and responsibility and check how operating activities are assigned and how the chain of responsibility for controlling employee behavior is established. The auditor is also required to check the appropriateness of the organizational structure based on the size and nature of the firm’s activities. If the organizational structure appears too complicated based on the size of the company and the nature of its activities, then it should be a warning signal to auditors.

Importantly, related to organizational structure is the organization’s practices in the assignment of authority and responsibility. Accordingly, the auditor should check how authority and responsibility for operating activities are assigned. Does the firm have policies relating to appropriate business practices? Do the key personnel have adequate knowledge and experience to carry out their tasks? Have all personnel read the manual, and do they understand the company’s objectives? Also, if individuals have the authority to carry out an activity but not the responsibility to actually do so or see that it is done, it may not be done. Alternately, if individuals have the responsibility to carry out an activity but not the authority, the activity may also not be carried out.

Human Resources Policies and Practices

This relates to recruitment, training, evaluating, counseling, promoting, compensating, and taking remedial actions against employees. Do the training policies include practices such as adequate training and regular seminars to ensure that employees meet expected levels of performance and behavior? Are promotions driven by periodic performance appraisals? All these provide insight for the auditor about the risk associated with the company.

In summary, elements which indicate a successful environment according to ISA 315 in its Appendix 2 are:

• Communication and enforcement of integrity and ethical values;
• A management committed to competence;
• A management’s philosophy and operating style;
• A clear organization structure that fits with the firm’s size and operating activities;
• A proper assignment of authority and responsibility; and
• Adequate human resources and policies and practices.

This section addressed the organization’s control environment. The control environment establishes key things about the organization that the auditor needs to understand. In the next section, we address the entity’s risk assessment process. Organizations need to understand the risks they face in order to prevent avoidable damage to the organization. The auditor, of course, needs to understand how the organization assesses risk. Understanding how the organization assesses risk and the organization’s view of what risks it faces helps the auditor in developing its plans for conducting the audit.

The Auditor’s Assessment of the Entity’s Risk Assessment Process

Appendix 2 of ISA 315 provides clear guidance to the auditor on how to assess risk.

In general, all components of internal control, from the control environment to monitoring, should be assessed for risk. The risk assessment process is the process of identifying business risks and the consequences of those risks to the organization. Whereas our discussion of risk assessment earlier in the chapter was at a more general level, we now focus more narrowly on the organization and on threats to the integrity of the output of its accounting system. From the auditor’s perspective, they are required to ask the following questions with regard to the preparation of financial statements:

• How does management identify risk of material misstatement in the financial statements that could distort a true and fair view? The terms true and fair view and present fairly in all material respects are considered equivalent by ISA 200 even though ISA uses true and fair view and the PCAOB uses present fairly. However this is a subject of controversy. Some auditors argue that the terms present fairly and true and fair view are not equivalent. Some auditors say present fairly means in accordance with laws and regulations. True and fair view, they say, includes the possibility of deviating from law and regulation when that deviation provides a true view. (Please refer Hayes et al. (2005), chapter one for this discussion). For the purpose of this book, we do not enter into this argument but conform to ISA 200 which still assumes equivalence.
• How does management estimate the significance of events that could jeopardize the presentation of a true and fair view?
• How does management assess the likelihood of their occurrence?
• How does management take action to prevent their occurrence?

An example of events that could cause material misstatement in the financial statements is unrecorded transactions. This is clearly a business risk. The auditor should assess the actions managements take to identify and prevent the possibility of unrecorded transactions. Have they initiated plans, programs, or actions to address the risk of transactions going unrecorded. If the auditor feels that a management is lax in respect to this, then their assessment of risk will be greater relative to a situation where a management appears to be stringent.

ISA 315 notes that the auditor should watch out for the following as they could affect risk or cause change in existing risk. Understanding risks that a client entity faces is vital in understanding potential problem areas for the auditor to scrutinize. Earlier, we described potential areas for risk. For example, we noted that the auditor should ask the following questions of management (please refer Appendix 2 of ISA 315):

• Have there been changes in the operating environment, either technological or competitive?
• Are there new personnel operating in key functions?
• Has the information system been revamped, or has a new information system been introduced?
• Has there been unusually rapid growth in operations?
• Has the company entered into a new business area?
• Has there been corporate restructuring of the business?
• Are there new accounting pronouncements that the company is now required to follow?

All these changes can significantly affect internal control and, hence, influence the tests auditors intend to perform. If any of these events have happened, the auditor is requested to identify the possible problems that may occur. For example, let us take a company such as Walmart. Walmart imports products made in China extensively. Now assume that they intend to import apparel and related products from India. Firm-wide risks that should be considered relate to: quality (e.g., is it of the required quality? Will the products arrive on time?); currency rate fluctuations; potential trade embargoes arising from political instability if the present government is replaced by a socialist regime, and so on.

Paragraphs 8 to 12 of Appendix 2 of ISA 315 also request auditors to examine the information system. In particular, auditors are requested to address the following issues:

• Does the information system identify and record all valid transactions?
• Does the system provide an adequate description of the transactions in sufficient detail to ensure proper classifications of the transactions for financial reporting?
• Are the values of the transactions measured accurately?
• Is the time period of the transactions properly recorded to permit recording in the proper time periods?

If any or all of these issues are not true, it is possible that the financial statements may be materially misstated. In ISA terms, this means that they do not present a true and fair view of the entity’s underlying economic reality, measured according to IFRS. In PCAOB terms, this means that the financial statements are not presented fairly in accordance with generally accepted accounting principles (in the United States).

ISA 315 also makes special provisions for small entities. ISA recognizes that small entities are likely to be less formal than larger entities. Accordingly, small entities are not required to have extensive descriptions of accounting procedures, sophisticated accounting records, or even written policies. ISA 315 also emphasizes special risks arising from technology or changes in technology that management should be aware of.

Significant Risks that Require Special Audit Consideration

As part of the risk assessment, ISA 315 also requires auditors to identify whether there are significant risks that warrant the auditor’s special attention (paragraphs 108 to 114 and 119). However, ISA 315 does not specify what the term significant risk actually means. The auditor is required to use his or her professional judgment. Significant risks are risks that arise from business risks discussed earlier. Significant risks arise from nonroutine, complex transactions, not from routine, simple transactions. Once the auditor determines that a significant risk exists, then the auditor is required (paragraph 109) to ascertain whether:

• The risk relates to fraud; that is, does the existence of this risk create a situation where the entity is vulnerable to fraud by employees or top management?
• The risk is related to recent significant economic, accounting, or other developments.

The probability of the auditor being sued is greater with the existence of fraud. For significant risks, the auditor should specifically examine the entity’s related controls over financial reporting and make recommendations. They should then ascertain whether those recommendations have been implemented. By doing this, the auditor can protect themselves from legal liability if an irregularity or fraud is discovered.

The Information System Including Related Business Processes Relevant to Financial Reporting and Communication

ISA 315 says that IT can be used to transfer information automatically from transaction processing systems to the general ledger to financial reporting. It has been noted that the automated processes and controls in such systems may reduce the risk of inadvertent error but create new risk. This is because when IT is used to transfer information automatically, there may be little or no visible evidence that unauthorized intrusion in the information systems occurred. Paragraph 93 of ISA 315 pays special attention to this problem. Hayes et al. summarize the risks that IT poses to an entity’s internal control. They state that problems can arise because of the following:

• The managers (and auditor) rely on systems or programs that could be inaccurately processing data or processing inaccurate data or both.
• There could be unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions.
• There may be unauthorized changes to data in master files.
• Programmers may fail to make necessary changes to systems or programs.
• Potential loss of data or inability to access data by personnel when required.

(summary of page 249, Hayes et al.)

ISA 315 (paragraph 93) requests the auditor to obtain an understanding of how the entity has responded to risks from IT. The auditor should consider the risks of IT (noted earlier) and examine whether the entity has responded adequately to the risks from IT by establishing effective general IT controls and application controls. General IT controls are defined as those that maintain the integrity of information and security of data and include controls that cover the following (refer paragraph 94 of ISA 315).

• Data center and network operations
• System software acquisition, change, and maintenance
• Access security
• Application system acquisition, development, and maintenance

We now discuss other risks that are highlighted in ISA 315 as requiring special attention.

Control Procedures/Activities

Control procedures are policies and procedures that help ensure that management instructions are carried out. This refers to necessary actions taken to address certain risks that threaten the attainment of the organization’s objectives. Paragraph 90 of ISA 315 provides examples of control activities. The following are these control activities:

• Authorization
• Performance reviews
• Information processing
• Physical controls
• Segregation of duties

Authorization

Employees perform tasks and make decisions that affect company assets. Hayes et al. (2005) note that management may not have the time or resources to supervise all activities or approve all related transactions. They establish general policies for employees to follow, and based on the individuals’ job descriptions, empower them to perform activities and make decisions. This empowerment is called authorization. Authorization is an important part of an organization’s control procedures. Authorizations are often documented by signing, initialing, or entering an authorization code on the document or record representing the transaction. In Europe, most IT systems are now capable of recording a digital signature. This is a means of signing a document with a piece of data that cannot be forged. Auditors are required to review samples of transactions to verify proper authorization. The absence of authorization may indicate that control problems exist. In the case of Parmalat, among the many fraudulent activities subsequently discovered was one in which purchase requisitions authorizing purchases were not authorized by the requisite person in charge but were personally authorized by a manager who was not in charge. It must also be noted that certain activities or transactions may be of such importance that management must grant specific authorization for them to occur. For example, in Parmalat, management review and approval was often required for sales in excess of 20,000 Euros, capital expenditures in excess of 10,000 Euros, and uncollectible write-offs in excess of 5,000 Euros. Parmalat was a situation where control requirements were in place but were often violated. Thus the auditor is required to sample transactions to ensure they were properly authorized. They must also check what authorization is required for each transaction type. Examples are shown in the table below. Table 6.1 presents a list of transaction types and related ways to authorize parts of those transactions; for example, when a sale is made, granting credit to the customer must be authorized, then authorization to ship the product must be made, and if any or all of the shipment needs to be returned, there must be an authorization for the sales return or allowance given.

Table 6.1 Transaction types and authorization examples

Transaction type	Examples of authorization functions
Sales orders	Approval of customer credit Approval of shipment Approval of sales returns and allowances Write offs of uncollectible accounts
Purchases	Authorization to order goods or services Authorization of capital expenditures Selection of vendors Acceptances of delivered products
Production	Approval of products and quantities to be produced Approval of raw materials issued for use in production Approval of production schedules Approval of completed products
Human resources/payroll	Hiring of new employees Approval of increases in employee compensation Approval of records of time worked Approval of payroll withholdings
Cash receipts	Endorsement of checks for deposit in bank
Cash disbursement	Approval of vendor invoices for payment Approval of checks written to settle accounts payable

Performance Reviews

Under the PCAOB’s AS 5, performance reviews are called independent internal verification. The definitions, however, are basically the same. Performance reviews are independent checks on performance by a third party not directly involved in the activity. An example of an accounting-related performance review is a bank reconciliation. Whereas a general ledger clerk would be responsible for maintaining accounting records and a cashier would be responsible for cash, the bank reconciliation should be done by a third person who handles neither the accounting records nor cash. Another accounting-related example of a performance review relates to reconciliation of accounts receivables. An accounts receivable clerk should maintain the customers’ accounts and balances. To determine the accuracy of the balances, a person independent of the accounts receivable clerk and the cashier should open control accounts. The total sales for a specified period (monthly, quarterly) and cash received from customers are obtained from the sales clerk and cashier respectively. The accounts receivable totals can be determined by subtracting total cash collected from total credit sales. The total is then checked with the total of the customer balances sent by the accounts receivable clerk. This section is common both for U.S. AS and IAS.

Some performance reviews are not accounting-related, but are still important for the auditor to review. For example, in the United States, under the PCAOB standard AS 5 auditors are also required to sample test authorization of nonfinancial controls as well. The importance of doing so was learned from the El Paso Energy Company scandal of 2000. El Paso Energy was accused of illegally withholding power from the state of California during the energy crisis of 2000. Top management was not aware that traders were engaging in such behavior because it did not have an effective monitoring control. The auditors of El Paso Energy Company missed this. The El Paso Energy Company paid a fine of over $1 billion to the state of California because of this behavior. The lesson learnt in the United States was that monitoring should not apply only to financial or reporting controls. Thus auditors in the United States under the PCAOB’s AS 5 are required to sample test authorization controls of non-financial controls. This appears to be unique to the United States. Sample testing of authorization controls of nonfinancial controls are not emphasized in IAS.

Physical Controls

These are controls to ensure that assets are safeguarded. Cash registers, safes, lockboxes, and safety deposit boxes can be used to limit access to cash, and other paper assets. Restricting access to physical locations, and having locks on doors and guards are also recommended. Computer facilities should also be guarded from unauthorized access. The auditor should test the security arrangements.

Segregation of Duties

Segregation of duties seeks to ensure that no single employee is given too much responsibility. An employee should not be in a position to perpetrate and conceal the fraud. Effective segregation of duty requires that the following functions be separated:

• Authorization: This involves approving transactions and decisions.
• Recording: This involves preparing source documents; maintaining journals, ledgers, or other files; preparing reconciliations; and preparing performance reports.
• Custody: This is the physical control over assets or records.

  This may be direct, as in the case of handling cash or maintaining an inventory storeroom, or indirect, as in the case of receiving customer checks via mail or writing checks on the organization’s bank account.

ISA 315 notes that the separation of these three functions is an essential element of control (based on discussion in paragraph 69 and 90). Individuals who authorize transactions should not be responsible for recording those transactions or be in custody of the assets acquired as a result of the transaction. The same applies under PCAOB standards as well. In the international example involved Barings, a 300 year old British bank, Nicholas Leeson, the manager of the Singapore branch had custody of assets and also authority to invest it. Leeson made investments in Nikkei exchange indexed derivatives. The authorization of a transaction and the handling of the related asset by the same person resulted in the situation where Leeson continued to invest after losing money with the hope of recovering his losses.

Information Processing

This refers to the processes of identifying, capturing, and exchanging information in a timely fashion to accomplish the organization’s objectives. An effective accounting information processing system should be capable of:

• identifying and recording all valid transactions;
• properly classifying transactions for financial reporting purposes;
• preparing reports showing the current effect of transactions; and
• identifying situations of excessive risk.

Control procedures relating to information processing consist primarily of two control types. These are general controls and application controls. Computer facilities themselves should be safeguarded from intrusion and disaster by taking protective steps, in part similar to steps taken for other assets—such as locks on doors.

General Controls

In the IT environment, ISA 315 recommends that operations responsibility and record keeping and IT duties should be separate (Appendix 2).

Systems Analysis Stage

The analysis and programming functions must be separated from the other functions to prevent unauthorized changes in application programs or data. (If a programmer for a bank were allowed to use actual data to test his/her program, the programmer could erase his or her loan balance while conducting a test).

Programming

Organizations are required to have formal authorizations for program changes. A written description of such changes must be submitted to a supervising manager for approval, and modifications should be thoroughly tested prior to implementation.

Computer Operations

Computer operators should be rotated among jobs and should not have access to program documentation or logic. When possible, two operators should be in the computer room during processing. A processing log should be maintained and reviewed periodically for evidence of irregularities.

Transaction Authorization

User departments should submit a signed form to verify that transactions have been authorized. Data control personnel should verify the signatures and control totals prior to submitting the input for processing. This procedure would prevent a payroll clerk from submitting a form to increase their pay rate.

AIS Library

The AIS librarian maintains custody of data bases, files, and programs in a separate storage area. To separate the custody and operations functions, access to files and programs should be limited to authorized operators at scheduled times or with user authorization. The librarian should keep a record of all data and program file usage but should not have computer access privileges.

Application Controls

Application controls are defined in Appendix 2 of ISA 315 as the application of controls, whether manual or automated, to transaction processing. The primary objective of application controls is to ensure the accuracy of a specific application’s inputs, files, programs and outputs, rather than control the system in general. These controls relate to procedures that result in initiating, recording, processing and reporting both financial and other transactions. Use of these controls is intended to ensure that all transactions processed are (a) authorized, (b) complete in themselves, and (c) accurate. ISA 315 notes that there are several tools available to help ensure this accuracy. This could be accomplished by a number of techniques, for example, checking whether a numbered form is missing from a sequence of such forms that has been processed.

Monitoring of Controls

Not only must controls be in place, but the controls must be monitored by the management to help ensure that they are working. ISA 315 paragraph 18 provides guidance on the monitoring of controls. Control monitoring is a process used to assess the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. Examples given in paragraph 18 are management’s review of whether bank reconciliations are being prepared on a timely basis, internal auditors’ evaluation of sales personnel’s compliance with the entity’s policies on terms of sales contracts and the legal department’s oversight of compliance with the entity’s ethical or business practice policies among other examples. Ongoing monitoring activities should be built into the normal recurring activities of an entity and include regular management and supervisory activities. For example managers of sales, purchasing, and production at divisional and corporate levels should be in touch with operations and should question reports that differ significantly from their knowledge of operations. The auditor must search for evidence that indicates whether management is actively monitoring the controls put in place. Evidence searches include evidence gathered from making inquiries of management, observing management review of control operation, and inspecting documentation showing that management has reviewed such documents as bank reconciliations.

Other Internal Control Standards

The Sarbanes Oxley Act (SOX) in the United States and the Eighth directive (EU) equivalent, like the ISA, also provide special attention to the design of internal controls. This is because there is now a recognition that sound internal controls are a vital component to enhancing quality of reported earnings in the financial statements. Both SOX and the Eighth directive require the preparation by management of an internal control report. In the internal control report, management is required to (a) state that it is its responsibility to establish and maintain adequate systems of internal control and (b) assess their internal controls and provide an opinion on the effectiveness of the firm’s internal controls. The auditor’s responsibility is to assess the correctness of management’s conclusions about the effectiveness of their internal controls as stated in its internal control report. The process the auditor undertakes under the PCAOB’s AS 5 in assessing that correctness is consistent with the internal control assessments required by the ISA. The auditor is required to (partially paragraphs 115 to 118 of ISA 315 but mainly paragraphs 18 to 22 of Appendix 2 of ISA 315):

• study the design of the internal controls, evaluate the extent to which implementation of the controls mitigates risk of material misstatement;
• assess their effectiveness, namely, whether the controls working as effectively as management states and working as intended, taking into account changes in the environment;
• monitor controls to assess the quality of internal control performance over time;
• read management’s report; assessing their internal controls; and then;
• provide a report expressing their (the auditor’s) opinion on management’s assessment report. The auditor has to consider and state clearly and unequivocally whether the controls in their opinion effectively prevents, detects, and corrects material misstatements.

Again, there are significant differences between ISA and PCAOB. These differences range from insignificant to significant. The insignificant ones relate to slight differences in wording or location of information. The significant differences are summarized in Table 6.2 at the end of this chapter.

Table 6.2 Comparison of internal control test results requirements

Question	PCAOB’s AS 5	ISA 265
Must an auditor communicate all significant deficiencies and material weaknesses in writing to the management and the audit committees?	Yes	Only if not communicated to the management by other parties.
Must the auditor evaluate the appropriateness of communicating internal control problems to the management directly?	The auditor need not address the issue of appropriateness.	If deemed inappropriate, the auditor does not have to communicate internal control problems directly to the management.
Is the auditor given direction on the timeliness of such communication to management?	PCAOBAS 5: The communication must occur before release of the audit report.	Only says that the auditor should communicate on a timely basis, but nothing further is specified.
What are the restrictions, if any, on who can receive the auditors’ communication of the internal control test results?	PCAOB AS 5 paragraph 6 states that the communication is intended solely for the use of the board of directors, the audit committee, the management, and others within the organization.	Does not restrict the audience that can receive the auditor’s communication of internal control test results.
What can the auditor report in writing if no significant internal control test deficiencies are found?	PCAOB AS 5 paragraph 8 states that the auditor should not report in writing that no significant internal control test result deficiencies were discovered during the financial statement audit.	ISA 265 requires the auditor to state the results, whether negative or positive.
When should the auditor communicate about material internal control weaknesses discovered during the audit?	PCAOB AS 5 paragraph 9 requires that, when timely communication is important, the auditor communicates issues regarding material internal control weaknesses during the audit.	ISA 265 states that the auditor should report material internal control weaknesses at the end of the audit and makes no reference to timing.
Is the auditor required to repeat information about deficiencies previously reported to the client?	PCAOB AS 5 states that it is not necessary for the auditor to repeat information about the deficiencies that have been included in previously issued written communications. However, if the same deficiency appears from one audited period to the next, the auditor retains the obligation to report the deficiency.	ISA 265 requires the auditor to repeat information about internal control deficiencies irrespective of whether this information has been previously disclosed.

Finally, the results of the testing may indicate material weakness in internal control, which must be reported to management. ISA 265 (paragraphs 7 to 9) states that, should any weakness or discrepancies be observed, the auditor should communicate to management as soon as possible.

Discussions Relating to Material Weaknesses in Internal Control

In the preceding section, we addressed certain issues relevant to the question of internal control reporting. In this section, we provide more detail on the thinking that underlies the internal control report. For example, we discuss differences between standards-setting bodies (e.g., IAASB and PCAOB) in defining material weakness. We also provide more information about the differences between ISA and PCAOB standards.

If material weaknesses are to be reported, it is important to understand what a material weakness is. For example, even though as noted earlier, ISA 265 recommends communicating material weakness, it does not define the term material weakness. This is because, under ISA, the auditor has to report significant deficiencies. Significant deficiencies include material weaknesses. The PCAOB standard on this subject is AS 5, which superseded AU 325. The difference between AS 5 and ISA 265 is that AS 5 defines material weakness whereas ISA 265 does not. Auditors operating in an international arena have more flexibility to define material weakness for the purpose of reporting as opposed to U.S. auditors where AS 5 provides a clear definition. A material weakness is a deficiency or a combination of deficiencies in internal control over financial reporting such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis. Paragraph 69 of PCAOB’s AS5 also states that a material weakness in internal control over financial reporting may exist when financial statements are materially misstated. (However, the paragraph elaborates saying the auditor should be aware that material weakness could exist even if financial statements are not significantly misstated.) Hence, paragraph 6 of PCAOB’s AS5 recommends that the audit of internal control over financial reporting should be integrated with the audit of the financial statements.

Even with a definition of material deficiency in hand, there are differences in the requirements of the PCAOB’s AS 5 and the ISA 265. These differences arise because there are requirements in PCAOB standards but not in the ISA. PCAOB’s AS 5 requires the auditor to evaluate each deficiency to determine, on the basis of the audit work performed, whether, individually or in combination, the deficiencies constitute significant deficiencies or material weaknesses. ISA does not mention the auditor’s requirement to evaluate each deficiency in making a determination. However, despite the difference, an AICPA report (aicpa.org/FRC) notes that the PCAOB may believe that the requirement in AS 5 is consistent with the intent of the ISA. In addition, the PCAOB’s AS 5 includes an additional requirement not mentioned in the ISA. The auditor can determine that a deficiency or a combination of deficiencies in internal control is NOT a material weakness if prudent officials having knowledge of the same facts and circumstances would likely reach the same conclusion. This issue is not addressed in the ISA. Auditors have more issues to consider in the U.S. relative to Europe for the following reasons:

• A clear definition of material weakness by PCAOB is provided.
• Auditors are required to evaluate a combination of deficiencies to ascertain if, in combination, there is a material weakness. Significant deficiencies include material weakness.
• Auditors also have to consider whether prudent officials having the same knowledge would likely conclude no weakness exists. They could use this to justify their decision if they felt that despite the deficiencies, it did not amount to a material weakness. In the United States, the auditor can report no material weakness if requested.

In the first part of this chapter, we focused on similarities/differences between ISA and PCAOB standards with focus on risk assessment and internal control assessment. In this part of the chapter we focus specifically on internal control assessment and the purpose of testing internal controls. We focus on similarities and differences between PCAOB and ISA standards with a focus on internal control assessment.

Purpose of Internal Control Assessment

In the United States, AS 5 of the PCAOB establishes requirements and provides direction to the auditor for conducting tests to assess the internal controls. The purpose of internal control assessment is, according to AS 5, to form an opinion on the effectiveness of the company’s internal control over financial reporting. Paragraph 3 of AS 5 notes that, because a company’s internal controls cannot be considered effective if one or more material weaknesses exist, in order to form a basis for forming an opinion, the auditor must plan and perform tests that are sufficient to form a reasonable assurance about whether material weaknesses exist (as of the date of the assessment). AS 5 requires that tests of internal controls over financial reporting should be integrated with the audit of the financial statements. AS5 provides specific examples of controls that an auditor should test. The following are included in these tests (as per paragraph 14 of AS 5):

• Controls over significant, unusual transactions, particularly those that result in late or unusual journal entries
• Controls over journal entries and adjustments made in the period-end financial reporting process
• Controls over related party transactions
• Controls related to significant management estimates
• Controls that mitigate incentives for, and pressures on, management to falsify or inappropriately manage financial results

In this respect, there is a significant difference between AS 5 and ISA 315 because ISA 315, although exhaustive, does not have a section that provides examples as shown earlier regarding which specific internal controls to test. Those mentioned in the preceding list particularly relate to fraud detection. This shows an overall philosophical difference between AS 5 and ISA 315. The focus of the PCAOB appears to be somewhat more oriented towards shareholder accountability. This could be a function of the fact that the PCAOB was created by the SOX Act. SOX is concerned with, among others, corporate governance. Corporate governance has a fundamental tenet; organizations are accountable to shareholders. SOX imposed additional duties on boards of directors and tightened the rules of enforcement. Legislation recommends procedures for the audit committee of boards, increases penalties for noncompliance with securities laws among others. Whereas PCAOB has this as a fundamental tenet, this is not the orientation of the ISA. This may be the reason for the differences between the two institutions.

Tests of Internal Controls and Communication of the Results of Those Tests

We find that, with respect to tests of internal controls, there are differences between the ISA and the PCAOB standards. One difference relates to definitions. The other relates to communication of results.

Difference in Definition

Both PCAOB and the ISA require that the purpose of internal control testing should be to identify material weaknesses and significant deficiencies. However, the relevant ISA (ISA 265) does not provide definitions. Unlike ISA 265, the PCAOB’s AS 5 (dealing with communications about control deficiencies in an audit of financial statements) makes a distinction between material weaknesses and significant deficiencies. The following definition is in the PCAOB’s AU 5 but not in ISA: Material weaknesses are deficiencies such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis. A significant deficiency is defined by the PCAOB as a deficiency, or combination of deficiencies in internal control over financial reporting that is less severe than a material weakness, yet important to merit the attention by those responsible for oversight of the company’s financial reporting. (PCAOB’s AS 5).

Communication of Results of Internal Control Tests

In this section, we compare and contrast the responsibility of the auditor with respect to communicating internal control weaknesses to management and audit committees.

• Must an auditor communicate all significant deficiencies and material weaknesses in writing to management and audit committees?
  • PCAOB’s AS 5: Yes.
  • ISA 265: Only if these were not communicated to the management by other parties.
• Must the auditor evaluate the appropriateness of communicating internal control problems to the management directly?
  • PCAOB’s AS 5: Paragraph 81 states that the auditor should communicate to the management all internal control over financial reporting deficiencies of which the auditor becomes aware, deficiencies that have not previously been communicated to the management. In this process, the auditor is required to inform the audit committee of its communication of internal control over financial reporting deficiencies. ISA 265: If deemed inappropriate, the auditor does not have to communicate internal control problems directly to management.
• Does the auditor receive direction on the timeliness of such communication to management?
  • PCAOB’s AS 5: The communication must occur before release of the audit report.
  • ISA 265: The auditor is required to communicate on a timely basis, but nothing further is specified.
• What are the restrictions, if any, on who can receive the auditors’ communication of internal control test results?
  • PCAOB’s AS5 does not restrict the audience that can receive the auditor’s communication of internal control test results.
  • ISA 265 does not restrict the audience that can receive the auditor’s communication of internal control test results.
• What can the auditor report in writing if no significant internal control test deficiencies are found?
  • PCAOB’s AS 5 explicitly states that the auditor should not report in writing that no significant internal control test result deficiencies were discovered during an audit of the financial statements.
  • ISA265 requires the auditor to state the results, whether negative or positive.
• When should the auditor communicate about material internal control weaknesses discovered during the audit?
  • PCAOB’s AS 5 requires that when timely communication is important, the auditor should communicate issues regarding material internal control weaknesses during the audit.
  • ISA 265 states that the auditor should report material internal control weaknesses at the end of the audit and has no reference to timing.
• Is the auditor required to repeat information about deficiencies previously reported to the client?
  • PCAOB’s AS 5 paragraph 81 states that it is not necessary for the auditor to repeat information about the deficiencies that have been included in previously issued written communications, whether by the auditor, the internal auditor, or others. However, if a deficiency reappears in subsequent audit periods, the auditor retains an obligation to report the deficiency.
  • ISA 265 requires the auditor to repeat information about internal control deficiencies irrespective of whether this information had been previously disclosed.

An important key difference between the PCAOB and ISA audits is that the PCAOB requires the auditor to make an assessment of the effectiveness of internal controls and to integrate that with the audit of the financial statements. AS 5 paragraph 6 clearly states that tests of internal controls should be integrated with the audit of financial statements. This is referred to as an integrated audit. More important, there is an established direction (guidelines) for integrated audits. Such guidelines are not found in ISAs. Hence, the basic difference is that there is no comparable direction on integrated audits in ISAs.

In summary, in the ISA, reporting on internal controls tests is incidental to the audit of the financial statements and mainly carried out for the purpose of assessing the risk of material misstatement (reasons follow). The PCAOB appears to have a different philosophy. This philosophy holds that reports on internal controls are integral and not incidental. As mentioned, the PCAOB’s AS5 paragraph 9 provides direction with respect to planning integrated audits. Under AS 5 paragraphs 93 to 98, the auditor is also required to inquire about changes in internal control that could affect financial reporting, which may have occurred after the balance sheet date but before the auditor’s report date. If there are changes in internal control, the auditor is required to evaluate their impact on the audit report. This requirement is not in the ISA. AS5 also provides direction on using internal auditor’s work on integrated audits of the financial statements and internal control over financial report. This is not mentioned in the ISA.

A summary of this discussion is provided in Table 6.2.

Conclusions

The responsibilities of the auditor to help assure the integrity of the client’s financial statements are complex. In order to achieve this goal, the auditor must acquire an enormous amount of information about the client entity, the risks it faces and the mechanisms it has in place to address those risks. This chapter discusses the auditor’s assessment of risks that the client faces from outside the client firm (e.g., changing technologies) and the risk that the client faces from internal threats (e.g., incompetent or dishonest employees). In doing so, the chapter compares the guidance provided by standards issued by the ISA and the PCAOB. Understanding the nature of internal and external risks facing the client firm and the adequacy of the methods and mechanisms that the firm uses to deal with those risks is clearly important for the client firm. It is also important for the auditor. Unless the auditor understands how risk assessment works and how assessment of internal controls over financial reporting works, it will be difficult for the auditor to do a professionally competent job. Readers of this book also benefit from understanding the sources of risk to an organization and tools available for assessing those risks. Importantly also, readers should understand how auditors examine the internal controls over financial reporting in order for the reader to gain a better grasp of the meaning of both ISA and PCAOB-governed audit reports and the differences between them.