9.29 Paragraph .40 of AU section 314 states that the auditor should obtain an understanding of the 5 components of internal control sufficient to assess the risks of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures. The auditor should obtain a sufficient understanding by performing risk assessment procedures to
•
evaluate the design of controls relevant to an audit of financial statements and•
determine whether they have been implemented.9.30 The auditor should use the understanding to
•
identify types of potential misstatements,•
consider factors that affect the risks of material misstatement, and•
design tests of controls, when applicable, and substantive proce-dures.9.31 Obtaining an understanding of internal controls is different from testing the operating effectiveness of internal control. The objective of obtaining an understanding of internal control is to evaluate the design of controls and determine whether they have been implemented for the purpose of assessing the risks of material misstatement.1 In contrast, the objective of testing the operating effectiveness of internal controls is to determine whether the controls, as designed, prevent or detect a material misstatement.
9.32 Paragraph .41 of AU section 314 defines internal control as "a process—effected by those charged with governance, management, and other personnel—designed to provide reasonable assurance about the achievement of the entity's objectives with regard to reliability of financial reporting, effec-tiveness and efficiency of operations, and compliance with applicable laws and regulations." Internal control consists of five interrelated components:
•
The control environment•
Risk assessment•
Information and communication systems•
Control activities•
MonitoringRefer to paragraphs .40–.101 of AU section 314 for a detailed discussion of the internal control components.
9.33 In obtaining an understanding of internal control, the auditor should obtain sufficient knowledge of the information system as discussed in
1Technical Questions and Answers (TIS) section 8200.11, "Ineffective Controls" (AICPA, Techni-cal Practice Aids), states that if, prior to the performance of risk assessment procedures, an auditor's belief that controls over financial reporting are either nonexistent or ineffective does not exempt the auditor from the evaluation and documentation of those controls as set forth in AU section 314, Under-standing the Entity and Its Environment and Assessing the Risks of Material Misstatement (AICPA, Professional Standards, vol. 1). For additional nonauthoritative guidance pertaining to internal con-trol and the risk assessment standards (Statement on Auditing Standards Nos. 104–111), refer to the entirety of TIS section 8200, Internal Control (AICPA, Technical Practice Aids).
AAG-CON 9.33
96
Construction ContractorsAU section 314. An entity's use of IT2may affect any of the five components of internal control relevant to the achievement of the entity's financial report-ing, operations, or compliance objectives, and its operating units or business functions. As part of gaining a sufficient understanding, the auditor should
•
obtain an understanding of how the incorrect processing of trans-actions is resolved.•
obtain an understanding of the entity's information system rele-vant to financial reporting, including how transactions originate within the entity's business process.•
obtain an understanding of how IT affects control activities that are relevant to planning the audit.•
consider whether the entity has responded adequately to the risks arising from IT.3To obtain this understanding, the auditor should perform risk assessment pro-cedures such as inquiries of appropriate management, supervisory, and staff personnel; inspection of documents and records; and observation of activities and operations, and through previous experience with the contractor. Internal control questionnaires, narrative descriptions, flowcharts, decision tables, anal-yses of IT systems, and other techniques are examples of common techniques used in this phase of the audit because those techniques enable the auditor to approach the understanding of internal control in a systematic manner and provide an effective means of documentation.
9.34 Paragraph .97 of AU section 314 states that the auditor should obtain an understanding of the major types of activities that the entity uses to monitor internal control and how those activities are used to initiate corrective actions to its controls. The monitoring of controls involves assessing the design and operation of controls on a timely basis to ensure that controls continue to operate effectively. Management accomplishes monitoring of controls through ongoing activities, separate evaluations, or a combination of the two. To obtain audit evidence about relevant monitoring controls, the auditor might make inquiries and observations of entity personnel that would help the auditor determine the extent to which the contractor's personnel are performing their assigned responsibilities in accordance with the established controls.
9.35 Another component of internal control, in addition to monitoring, is an entity's control activities. Paragraph .89 of AU section 314 states that the auditor should obtain an understanding of those control activities relevant to the audit. Control activities are the policies and procedures that help ensure that management directives are carried out, for example, that necessary actions are taken to address risks that threaten the achievement of the entity's objec-tives. Examples of specific control activities include authorization, segregation of duties, safeguarding, and asset accountability. An audit does not require an understanding of all the control activities; however, control activities for which the auditor is required to evaluate are identified in paragraphs .115–.117 of AU section 314. With regards to segregation of duties, the auditor might make
2IT encompasses automated means of originating, processing, storing, and communicating infor-mation and includes recording devices, communication systems, computer systems (including hard-ware and softhard-ware components and data), and other electronic devices. An entity's use of IT may be extensive; however, the auditor is primarily interested in the entity's use of IT to initiate, record, process, and report transactions or other financial data.
3See footnote 2.
AAG-CON 9.34
P1: PjU
ACPA144-09 ACPA144.cls June 15, 2010 17:50
Planning the Audit
97
inquiries and observations of entity personnel that would help the auditor deter-mine the extent to which the contractor's assignment of responsibilities among the various personnel within the organization reduces the opportunities to al-low any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of his or her duties. Smaller organizations may find that using management oversight of the incompatible activities may help achieve an appropriate segregation of duties.
9.36 If the contractor has an internal audit function, the auditor, in ac-cordance with the provisions of AU section 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements (AICPA, Professional Standards, vol. 1), may take into consideration the existence of an internal audit function in determining the nature, timing, and extent of auditing procedures to be performed.
Considerations for Audits Performed in Accordance With PCAOB Stan-dards
When performing an integrated audit, refer to paragraphs 16–19 of Auditing Standard No. 5 for a discussion on using the work of others to alter the nature, timing, and extent of the work that otherwise would have been performed to test controls.
9.37 A wide variety of conditions, such as the materiality of specific con-tracts, influence the auditor's selection of specific audit procedures. The auditor must develop an audit plan in which the auditor documents the audit proce-dures to be used that, when performed, are expected to reduce audit risk to an acceptably low level. Paragraph .21 of AU section 311 states that the audit plan should include
•
a description of the nature, timing, and extent of planned risk assessment procedures sufficient to assess the risks of material misstatement.•
a description of the nature, timing, and extent of planned further audit procedures at the relevant assertion level for each material class of transactions, account balance, and disclosure.•
a description of other audit procedures to be carried out for the engagement in order to comply with GAAS.For audits of construction contractors, the audit plan should include the review of significant contracts. During the course of the audit, the auditor may need to revise the audit plan to reflect the results of the auditor's risk assessment procedures or tests of the effectiveness of the contractor's internal control, for example.
Considerations for Audits Performed in Accordance With PCAOB Stan-dards
When performing an integrated audit, the auditor should design his or her testing of controls to accomplish the objectives of both audits simultaneously
•
to obtain sufficient evidence to support the auditor's opin-ion on internal control over financial reporting as of year-end.•
to obtain sufficient evidence to support the auditor's con-trol risk assessments for purposes of the audit of financial statements.AAG-CON 9.37
98
Construction ContractorsWhen concluding on the effectiveness of controls for the purpose of assessing control risk, the auditor also should evaluate the results of any additional tests of controls performed to achieve the objective related to expressing an opinion on the entity's internal control over financial reporting, as discussed in paragraph B2 of PCAOB Auditing Standard No. 5. Consideration of these results may require the auditor to alter the nature, timing, and extent of substantive procedures and to plan and perform further tests of controls, particularly in response to identified control deficiencies.
If, during the audit of internal control over financial reporting, the auditor identifies a control deficiency, he or she should determine the effect on the nature, timing, and extent of substantive procedures to be performed to reduce the audit risk in the audit of the financial statements to an appropriately low level, as provided in paragraph B6 of Auditing Standard No. 5.
In accordance with paragraph B8 of Auditing Standard No. 5, in an au-dit of internal control over financial reporting the auau-ditor should eval-uate the effect of the findings of all substantive auditing procedures performed in the audit of financial statements on the effectiveness of internal control over financial reporting.