9.29 Paragraph .40 of AU section 314 states that the auditor should obtain an understanding of the five components of internal control sufficient to assess the risks of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures. The auditor should obtain a sufficient understanding by performing risk assessment procedures to:
• evaluate the design of controls relevant to an audit of financial statements.
• determine whether they have been implemented.
9.30 The auditor should use the understanding to:
• identify types of potential misstatements.
• consider factors that affect the risks of material misstatement.
• design tests of controls, when applicable, and substantive proce
dures.
9.31 Obtaining an understanding of internal controls is different from testing the operating effectiveness of internal control. The objective of obtaining an understanding of internal control is to evaluate the design of controls and determine whether they have been implemented for the purpose o f assessing the risks of material misstatement. In contrast, the objective of testing the operating effectiveness of internal controls is to determine whether the controls, as designed, prevent or detect a material misstatement.
9.32 Paragraph .41 of AU section 314 defines internal control as "a process— effected by those charged with governance, management, and other personnel— designed to provide reasonable assurance about the achievement of the entity’s objectives with regard to reliability of financial reporting, effec
tiveness and efficiency of operations, and compliance with applicable laws and regulations." Internal control consists of five interrelated components:
a. The control environment b. Risk assessment
c. Information and communication systems d. Control activities
e. Monitoring
Refer to paragraphs .40-.101 of AU section 314 for a detailed discussion o f the internal control components.
9.33 In obtaining an understanding of internal control, the auditor should obtain sufficient knowledge o f the information system as discussed in AU sec
tion 314. An entity's use of information technology (IT)1 may affect any of the five components o f internal control relevant to the achievement of the entity's financial reporting, operations, or compliance objectives, and its operating units or business functions. As part of gaining a sufficient understanding, the auditor should:
• obtain an understanding of how the incorrect processing of trans
actions is resolved.
• obtain an understanding of the entity's information system rele
vant to financial reporting, including how transactions originate within the entity's business process.
• obtain an understanding of how IT affects control activities that are relevant to planning the audit.
• consider whether the entity has responded adequately to the risks arising from IT.1 2
1 Information technology (IT) encompasses automated means o f originating, processing, storing, and communicating information and includes recording devices, communication systems, computer systems (including hardware and software components and data), and other electronic devices. An entity's use o f IT may be extensive; however, the auditor is primarily interested in the entity's use of IT to initiate, record, process, and report transactions or other financial data.
2 See footnote 1.
To obtain this understanding, the auditor should perform risk assessment pro
cedures such as inquiries of appropriate management, supervisory, and staff personnel; inspection o f documents and records; and observation o f activities and operations, and through previous experience with the contractor. Internal control questionnaires, narrative descriptions, flowcharts, decision tables, anal
yses of IT systems, and other techniques are examples of common techniques used in this phase o f the audit because those techniques enable the auditor to approach the understanding of internal control in a systematic manner and provide an effective means o f documentation.
9.34 Paragraph .97 o f AU section 314 states that the auditor should obtain an understanding o f the major types o f activities that the entity uses to monitor internal control and how those activities are used to initiate corrective actions to its controls. The monitoring o f controls involves assessing the design and operation of controls on a timely basis to ensure that controls continue to operate effectively. Management accomplishes monitoring of controls through ongoing activities, separate evaluations, or a combination of the two. To obtain audit evidence about relevant monitoring controls, the auditor might make inquiries and observations o f entity personnel that would help the auditor determine the extent to which the contractor's personnel are performing their assigned responsibilities in accordance with the established controls.
9.35 Another component o f internal control, in addition to monitoring, is an entity's control activities. Paragraph .89 of AU section 314 states that the auditor should obtain an understanding o f those control activities relevant to the audit. Control activities are the policies and procedures that help ensure that management directives are carried out, for example, that necessary actions are taken to address risks that threaten the achievement o f the entity's objec
tives. Examples o f specific control activities include authorization, segregation o f duties, safeguarding, and asset accountability. An audit does not require an understanding o f all the control activities; however, control activities for which the auditor is required to evaluate are identified in paragraphs .115-.117 of AU section 314. With regards to segregation o f duties, the auditor might make inquiries and observations o f entity personnel that would help the auditor deter
mine the extent to which the contractor's assignment of responsibilities among the various personnel within the organization reduces the opportunities to al
low any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of his or her duties. Smaller organizations may find that using management oversight o f the incompatible activities may help achieve an appropriate segregation o f duties.
9.36 If the contractor has an internal audit function, the auditor, in ac
cordance with the provisions of AU section 322, The Auditor's Consideration o f the Internal Audit Function in an Audit o f Financial Statements (AICPA, Professional Standards, vol. 1), may take into consideration the existence of an internal audit function in determining the nature, timing, and extent of auditing procedures to be performed.
Considerations for Integrated Audits
When performing an integrated audit, refer to paragraphs 16-19 of Auditing Standard No. 5 for a discussion on using the work o f others to alter the nature, timing, and extent o f the work that otherwise would have been performed to test controls.
9.37 A wide variety of conditions, such as the materiality o f specific con
tracts, influence the auditor's selection of specific audit procedures. The auditor must develop an audit plan in which the auditor documents the audit proce
dures to be used that, when performed, are expected to reduce audit risk to an acceptably low level. Paragraph .21 o f AU section 311 states that the audit plan should include:
• a description o f the nature, timing, and extent of planned risk assessment procedures sufficient to assess the risks o f material misstatement.
• a description of the nature, timing, and extent of planned further audit procedures at the relevant assertion level for each material class of transactions, account balance, and disclosure.
• a description o f other audit procedures to be carried out for the engagement in order to comply with GAAS.
For audits of construction contractors, the audit plan should include the review o f significant contracts. During the course o f the audit, the auditor may need to revise the audit plan to reflect the results o f the auditor's risk assessment procedures or tests of the effectiveness of the contractor's internal control, for example.
Considerations for Integrated Audits
When performing an integrated audit, the auditor should design his or her testing of controls to accomplish the objectives o f both audits simultaneously—
• to obtain sufficient evidence to support the auditor's opin
ion on internal control over financial reporting as o f year- end.
• to obtain sufficient evidence to support the auditor's con
trol risk assessments for purposes o f the audit o f financial statements.
When concluding on the effectiveness o f controls for the purpose of assessing control risk, the auditor also should evaluate the results of any additional tests o f controls performed to achieve the objective re
lated to expressing an opinion on the company's internal control over financial reporting, as discussed in paragraph B2 o f PCAOB Auditing Standard No. 5. Consideration of these results may require the audi
tor to alter the nature, timing, and extent of substantive procedures and to plan and perform further tests o f controls, particularly in re
sponse to identified control deficiencies.
If, during the audit o f internal control over financial reporting, the auditor identifies a control deficiency, he or she should determine the effect on the nature, timing, and extent of substantive procedures to be performed to reduce the audit risk in the audit of the financial statements to an appropriately low level, as provided in paragraph B6 o f Auditing Standard No. 5.
In accordance with paragraph B8 o f Auditing Standard No. 5, in an au
dit o f internal control over financial reporting the auditor should eval
uate the effect of the findings o f all substantive auditing procedures performed in the audit o f financial statements on the effectiveness of internal control over financial reporting.