2008年审计英语讲义 The Risk Assessment and Fraud

　[与中文教材2008版第九章至十一章相关]
　　对被审计单位的总体了解和宏观把握对审计人员成功、高效实施审计尤为重要；尤其是对新的被审计单位的了解更为重要，是审计计划中重要的一环；只有对被审计单位有了全面、深入、客观和正确的了解，才能制定正确的审计战略。
　　新的被审计单位有两层含义：
　　首次进行审计的客户（第一次接受审计）
　　你的新客户（以前由其他会计师事务所进行审计）
　　并且对客户的了解，不仅仅限于你的正式客户，还包括那些潜在的客户；对你客户的充分了解是你决定是否为其提供审计服务的重要决定因素之一。
　　A.Internal control
　　ISA315 Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement defines the internal control system as:
　　The process designed and effected by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.
 

　　Internal control consists of:
　　 The control environment
　　 The entity’s risk assessment process
　　 The information system, including the related business processes, relevant to financial reporting, and communication
　　 Control activities
　　 Monitoring of controls
　　Control environment means the overall attitude, awareness and actions of directors and management regarding the internal control system and its importance to the entity.
 

　　Risk assessment process is its process for identifying and responding to business risks and the results thereof.
　　An information system consists of infrastructure （physical and hardware components）, software, people, procedures, and data.
　　Control activities are the policies and procedures that help ensure that management directives are carried out.
　　Monitoring of controls is a process to assess the quality of internal control performance over time.
　　The choice of controls may reflect a comparison of the cost of operating controls against the benefits expected from them.
 

　　The size of the enterprise may determine the type of controls selected.
　　B. Types of internal control
　　Preventative
　　These are controls that prevent risks occurring. For example, authorization controls should prevent fraudulent or erroneous transactions taking place. Other preventative controls include segregation of duties, recruiting and training the right staff and having an effective control culture.
 

　　Detective
　　These are controls that detect if any problems have occurred. They are designed to pick up errors that have not been prevented. These could be exception types of reports that reveal that controls have been circumvented. For example, large amounts paid without being authorized. Other examples could include reconciliations, supervision and internal checks.
 

　　Corrective
　　Corrective controls are ones that address any problems that have occurred. Where problems are identified, the controls ensure that they are properly rectified. Examples of corrective controls include follow-up procedures and management action.
 

　　Clearly the most powerful type of control is preventative. It is more effective to have a control that stops problems occurring rather than to detect or correct them once they have occurred.
　　C. Specific control activities
　　 Reporting, reviewing and approving reconciliations
　　 Checking the arithmetical accuracy of the records
　　 Maintaining and reviewing control accounts and trial balances
　　 Approval and control of documents
　　 Comparing internal data with external sources of information
　　 Comparing the results of cash, security and inventory counts with the accounting records
　　 Limiting direct physical access to assets and records – an important general principle with respect to assets and records is that of segregation. In particular these should be a division of responsibilities for:
　　 Authorizing or initiating the transaction
　　 The physical custody and control of assets involved
　　 Recording the transaction
　　 Comparing and analyzing the financial results with budgeted amounts
　　N.B.
　　An examination question might ask you what internal controls you would expect to see in a particular system. If you memories the eight types of control listed below you will have a good starting point for dealing with such questions. A mnemonic such as SPAM SOAP may help you to remember these eight types of control.
　　 Organization controls. Responsibilities and lines of reporting should be clearly defined and allocated
　　 Segregation of duties. There should be a division of responsibilities for:
　　 Authorizing or initiating the transactions
　　 Physical custody and control of assets
　　 Recording the transaction
　　 Physical controls （e.g. locking cash away securely）
　　 Authorization and approval （e.g. purchasing limits）
　　 Arithmetical and accounting （e.g. bank reconciliation）
　　 Personnel （e.g. providing adequate training）
　　 Supervision
　　 Management controls （e.g. the internal audit function）. In more detail:
　　 Should be a clear organization structure
　　 Should be a balanced board of directors, possibly including non-executives
　　 Maybe an audit committee, and/or an internal audit department
　　 Job descriptions, authority limits and systems descriptions should all be documented
　　 Should be adequate staff training programmes
　　D. The difference between test of control and substantive procedures
　　Tests of control are those tests which seek to provide audit evidence that internal control procedures are being properly applied throughout the period under review.
　　Substantive procedures are those tests of transactions and balances, and other procedures such as analytical review, which seek to provide audit evidence as to financial statement assertions such as completeness, existence, valuation, presentation and disclosures, etc.
　　E. Understanding the system
　　ISA315 requires that auditors obtain an understanding of the accounting system and control environment sufficient to determine their audit approach, whether that be a risk-based, systems based or substantive approach. It also helps with the assessment of inherent and control risk. If control risk is to be assessed as less than high, the justification for that assessment must be documented.
 

　　This understanding can be updated year on year and auditors often perform ‘walk through’ tests, to ensure that their understanding and documentation of the system are correct. This simply involves taking a transaction through the system from source to destination. Such tests are particularly useful where the auditor is relying on the client’s documentation of the system.
　　ISA315 Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement was issued to provide guidance to auditors on obtaining an understanding of the entity and its environment.
　　The auditor should obtain an understanding of the entity and its environment, including its internal control, sufficient to identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures.
　　Knowledge is obtained both before accepting the client and afterwards for each audit.
　　The ISA states that obtaining an understanding of the entity and its environment is an essential aspect of performing an audit in accordance with ISAs. It is therefore very important. It helps the auditor when professional judgments have to be made, for example, in determining risks and materiality and in considering whether accounting policies have been selected and applied appropriately.
　　In practice, auditors evaluate risks and gather evidence accordingly. It is also an important means of justifying the audit opinion.
　　Risk
　　Obtaining an understanding of the entity and its environment, including its internal control, is a continuous, dynamic process of gathering, updating and analyzing information throughout the audit.
　　There is no set format for the risk assessment, although it is likely to involve:
　　 Inquiries of management and others within the entity;
　　 Analytical procedures;
　　 Observation and inspection;
　　Information required:
　　The specific areas that the auditor is required to obtain an understanding of are:
　　 Industry, regulatory and other external factors （including the applicable financial reporting framework）
　　 The nature of the entity
　　 The entity’s objectives, strategies and related business risks
　　 The measurement and review the entity undertakes of its own financial performance
　　 Internal control
　　Testing the internal control system
　　1. Strong internal control
　　If the answer to an internal control evaluation question indicates that controls appear to exist to prevent the particular error then a test of controls （compliance test） will be preformed to ensure the control is operating effectively. ISA 330 The Auditor’s Procedures in Response to Assessed Risks requires that the auditor perform tests of controls to obtain sufficient appropriate audit evidence that the controls were operating effectively at relevant times during the period under audit.
　　Compliance tests can take three main forms
　　Examination of evidence-e.g.a member of staff checks incoming purchase invoices against order forms and goods received records and initials them as passed for payment. The auditor might examine a sample of recorded invoices to ensure that they have been initialled. This provides evidence that the sampled items have been signed, although it does not necessarily prove that the staff member actually checked the invoice before signing it.
　　Reperformance-e.g. the auditor takes a sample of recorded invoices and traces them back to their supporting order froms and goods received records. This proves that the original comparison by the staff member could have taken place because the necessary supporting evidence exists. In many cases, though, the documents would match up whether the original test took place or not. If the supporting records are missing and the invoices have been signed then the auditor would have strong grounds for believing that the control has not operated.
　　Enquiry and observation-e.g. the auditor asks staff to describe the system and listens very carefully for confirmation that a system operates as described. The secret is to ask indirect questions and to avoid leading the interviewee. Rather than asking whether X compares invoices to records, ask X to explain what the process involves and listen for references to order forms and goods records. Supplementary questions “What happens if the details don’t match?” helps because it will be difficult to make up a consistent series of lies on the spot. Asking X’s colleagues slightly different questions will make it easier to corroborate these assurances. Of course, there is no guarantee that very answer obtained will be truthful.
 

　　It does not matter that the auditor cannot prove conclusively that any given control or controls operated consistently throughout the year. It is sufficient that the auditor can prove that sufficient care and skill has been applied to the collection of audit evidence.
　　If compliance tests test indicates that the control is not operating satisfactorily the system must be re-evaluated. If there are no other controls that can be relied upon it is likely that the area will now be assessed as weak and the auditor may have to use detailed substantive testing in order to gather audit evidence on that area.
　　2. Weak internal controls
　　If the initial review of internal control indicates an absence of controls to prevent a particular error or omission then the auditor might conduct detailed substantive testing in order to determine whether the weakness has resulted in error and if so to quantify the effect on the financial statements. For example, if purchase invoices are not being checked before they are recorded and paid, the auditor might conduct a very thorough testing, with a relatively large sample, to see whether significant numbers of invalid purchases have been recorded.
　　If the system is generally weak then the external auditor is more likely to consider more extreme options, such as resignation, rather than staying and attempting to resolve the problem. It is unlikely that a cost-effective audit could ever be conducted on a system that is very seriously flawed.
 

　　F. External auditors need internal control
　　At an early stage in their work, auditors have to decide how far they wish to place reliance on the internal controls of the enterprise.
　　Reliance on internal control will reduce the amount of substantive testing of transactions required.
　　The auditor also usually has an additional responsibility under legislation to form an opinion as to whether proper accounting records have been kept.
 

　　N.B.
　　（1） The operation of internal controls should ensure the completeness and accuracy of the accounting records.
　　
　　（2） Internal auditors need internal control
　　A key objective of the internal auditor is to review the organization’s system of internal control and to provide assurance that the corporate governance requirements are being met.
　　Test of control includes; test of design and test of operation.
　　（3） Companies need internal control
　　Companies need internal controls to stop things going missing and to achieve their objectives.
　　G. Documenting the system
　　The various methods of ascertaining and recording the system may be summarized as follows:
　　

Ascertaining	Recording
（a） Examining previous audit work 　　（b） Client’s own documentation of the system 　　（c） Interviews with client’s staff 　　（d） Tracing transactions 　　（e） Examining client’s documents 　　（f） Observation of client’s procedures	（a） Narrative notes 　　（b） Organization chart 　　（c） Internal control questionnaires （ICQs） or checklists 　　（d） flowcharts

　　Mini-question
　　Give four ways in which an auditor might record a client’s system, briefly explaining the advantages and limitations for each one.
　　Solution:
　　1. Narrative systems notes
　　This is a simple convenient way of recording a system – the quickest approach in a small, unsophisticated system
　　However, it suffers from the disadvantages that:
　　 It will be cumbersome in a large system
　　 It may be difficult to interpret and review
　　 It may be difficult to alter if the system changes
　　 It may be easy to miss ‘loose ends’ or even to miss out whole sections of the system.
　　2. Organization charts
　　These are a convenient way of showing the individuals in an organization and the lines for reporting and delegation of responsibilities between those individuals; useful to indicate who should report to whom.
　　However, they do not
　　3. Internal control questionnaire
　　The ICQ is a preprinted document used widely in practice to ascertain controls in a client’s system. It helps to ensure a formal approach to systems recording. The auditor’s attention should be drawn to the need controls in the system. It is easy to cross referent to other working papers.
　　It has few disadvantages except that it may be used improperly. The auditor may waste time asking unnecessary questions using a standard ICQ. It may encourage auditors to perform work in a mechanical fashion without considering the circumstances of a particular client.
　　4. Flowcharts
　　These provide a clear diagrammatic representation of the system, but can be time-consuming to draw up.
　　H. Evaluating the internal control system
　　（1） Having recorded the system, the auditor needs to make a preliminary evaluation of the system in order to make a final decision as to whether to go down the systems route of testing and reliance on internal controls.
　　（2） Internal Control Evaluation questions （ICEs）
　　The ICE is answered using knowledge of the system obtained from the flowchart or ICQ. They are often referred to as Key or Control questions.
　　Control objectives seek to establish if controls exist to meet the specified objective. ICEs seek to establish if controls exist to prevent a specified error or omission.
　　（3） The link between ICEs and ICQs
　　ICQs are objective questions which focus on specific controls. They form the subsidiary or criteria questions for answering the ICE.
　　ICQs have a number of objectives:
　　 To ascertain a client’s system of accounting and internal control
　　 To record the client’s system
　　 To identify controls （or the absence of controls）, and hence
　　 To assist the evaluation of the system
　　Limitations on the effectiveness of internal controls
　　As we have seen, it is possible to reduce the volume of substantive procedures required, but not to eliminate the requirement altogether. This is because all systems have inherent limitations such as:
　　·the need to balance the cost of the control with its benefits
　　·the fact that internal controls are applied to systematic transactions, not one-off year-end adjustments, which are often large and subject to error
 

　　·the potential for buman error
　　·the possibility of circumvention of internal controls through the collusion of managers or employees with other parties inside or outside the entity-e.g. the supervisor responsible for checking and authorising overtime claims colluding with employees（to enable excess overtime payments to be claimed, for example）
 

　　·the abuse of authority and override of controls-e.g. ordering personal goods through the firm（it is very easy for directors and managers of organisations of any size to instruct staff to bypass normal procedures such as the requirement for authorisation for payments）
 

　　·the obsoleseence of controls.