International Audit Standards

Internal Control
400. RISK ASSESSMENT AND INTERNAL CONTROL

Introduction

The purpose of this International Auditing Standard is to establish standards and

provide guidelines to obtain an understanding of the systems of
accounting and internal control regarding audit risk and its components:
inherent risk, control risk and detection risk.

The auditor must obtain an understanding of the accounting systems.

and sufficient internal control to plan the audit and develop a
effective audit approach. The auditor must use professional judgment
to assess the audit risk and design the procedures of
audit to ensure that the risk is reduced to an acceptably low level
low.

Inherent risk

When developing the overall audit plan, the auditor should evaluate the
inherent risk at the financial statement level. When developing the program of
audit, the auditor should relate that evaluation at the level of
statement of account balances and classes of significant transactions
relative, or assuming that the inherent risk is high for the assertion.

Accounting and internal control systems

The internal controls related to the accounting system are aimed at

achieve objectives such as:

· Transactions are executed in accordance with the general authorization or

specific to management.
· All transactions and other events are promptly recorded in the
correct amount, in the appropriate accounts and in the appropriate accounting period.
· Access to assets and records is allowed only with authorization.
of the administration.
· The registered assets are compared with the existing assets at intervals.
reasonable and appropriate action is taken regarding any differences.

Understanding accounting systems and internal control

By gaining an understanding of accounting systems and internal control

to plan the audit, the auditor gains an understanding of the design of the
accounting and internal control systems, and their operation.

Accounting system

The auditor should obtain an understanding of the accounting system.

sufficient to identify and understand:

the main types of transactions in operations of the

entity
(b) how such transactions are initiated;
(c) important accounting records, supporting documents, and accounts in
the financial statements; and
(d) the accounting and financial reporting process, from the beginning of
important transactions and other events until their inclusion in the
financial statements.

Control environment

The auditor should obtain an understanding of the control environment

enough to assess the attitudes, awareness, and actions of directors and
administration, regarding internal controls and their importance in
entity.

Control procedures

The auditor should obtain an understanding of the procedures of

sufficient control to develop the audit plan.By obtaining this
the auditor would consider the knowledge about the presence or absence
of control procedures obtained from the understanding of the control environment and
of the accounting system to determine if any understanding is necessary
additional information on control procedures.

Control Risk

Preliminary risk assessment of control

The preliminary control risk assessment is the process of evaluating the

effectiveness of the accounting systems and internal control of an entity to
prevent or detect and correct misrepresentations of relative importance.
There will always be some risk of control due to the inherent limitations of
any accounting and internal control system.

After gaining an understanding of accounting systems and

internal control, the auditor should make a preliminary assessment of
control risk, at the assertion level, for each account balance or
class of transactions, of relative importance.

The evaluation preliminary risk of control for a

The assertion of the financial statement should be high unless the auditor:

can identify relevant internal controls for the assertion that is

likely to prevent or detect and correct a misrepresentation
of relative importance; and

I plan to perform control tests to support the evaluation.

Documentation of the understanding and evaluation of control risk
The auditor should document in the audit working papers:

the understanding gained from accounting and control systems

internal of the entity; and
the assessment of control risk.When the risk of control is
evaluated as less than high, the auditor should also document the basis
for the conclusions.

Control tests

The auditor should obtain audit evidence through tests of

control to support any control risk assessment that may be
less than high. The lower the control risk assessment, the more
support should obtain from the auditor that the accounting and
internal controls are adequately designed and operating effectively
tiva.

Based on the results of the control tests, the auditor should

assess whether the internal controls are designed and operating as intended
she contemplated in the preliminary risk control assessment.The evaluation of
deviations may result in the auditor concluding that the level
The control risk assessment needs to be reviewed. In such cases, the auditor
I would modify the nature, opportunity, and scope of the substantive procedures.
planned.

Quality and timeliness of audit evidence

When determining the appropriate audit evidence to support a conclusion

about control risk, the auditor can consider the audit evidence
obtained in previous audits. In an ongoing work, the auditor will be aware
from the accounting systems and internal control through the work carried out
previously, but will need to update the acquired knowledge and consider
the need to obtain additional audit evidence of any changes in
control.Before relying on procedures applied in audits
previously, the auditor should obtain audit evidence to support this
reliability.The auditor should obtain evidence about the nature,
opportunity and scope of any changes in accounting systems and
internal control of the entity, since these procedures were applied and
You should evaluate its impact on the trust you are trying to place in them.
The more time has passed since those were applied.
procedures, lowers the level of security.

The auditor should consider whether the internal controls were in place.
throughout the period.If the controls were substantially modified in several
on occasions during the period, the auditor should consider each one
separately. A failure in the internal controls for a specific portion of the
period requires separate consideration of the nature, opportunity and
scope of the audit procedures to be applied to the transactions and
other events of that period.

The auditor may decide to develop some control tests during a visit.
interim before the end of the period. However, the auditor cannot rely on the
results of such tests without considering the need to obtain evidence of
additional audit related to the rest of the period.

Final assessment of control risk

Before the conclusion of the audit, based on the results of the

substantive procedures and other audit evidence obtained by the
auditor, the auditor should consider whether the evaluation of the control risk
was appropriate.

Relationship between inherent risk assessments and control assessments

Management often reacts to situations of inherent risk by designing

accounting and internal control systems to prevent or detect and correct
misleading representations and therefore, in many cases, the inherent risk and the
control risk and inherent risk are highly interrelated. In these situations, if the
the auditor decides to evaluate inherent and control risks separately, there would be
the possibility of an inappropriate risk assessment. As a result, the risk
of audit can be more appropriately determined in such situations
doing a combined assessment.

Detection risk

The level of detection risk is directly related to the procedures

auditor's nouns. The auditor's assessment of control risk, along with the
evaluation of inherent risk, influences the nature, opportunity, and scope of
the substantive procedures that must be developed to reduce the risk of
detection, and therefore the audit risk, to an acceptably low level. Some
the risk of detection would always be present even if an auditor examined 100 percent.
one hundred of the balance of an account or class of transactions because, for example, the
Most of the audit evidence is persuasive and not conclusive.

The auditor should consider the assessed levels of inherent risks and
of control in determining the nature, opportunity, and scope of the
substantive procedures required to reduce audit risk to
an acceptable level.In this regard, the auditor would consider:

(a)the nature of substantive procedures, for example, using tests

directed towards independent parts outside the entity and not directed tests
towards parts or documentation within the entity, or use detail tests to
a specific audit objective besides analytical procedures;

(b)the opportunity for substantive procedures, for example, developing them at

end of the period and not on an earlier date; and

(c)the scope of substantive procedures, for example, using a size

sample mayor.

The evaluated levels of inherent and control risks may not be sufficient.
low criteria to eliminate the need for the auditor to develop any
substantive procedure.Regardless of the evaluated risk levels
inherent and control, the auditor should develop some
substantive procedures for account balances and classes of
important transactions.

The higher the evaluation of inherent risk and control, the more
audit evidence should be obtained by the auditor from the development of
substantive procedures.When both the inherent risk and the control risk
they are assessed as high, the auditor needs to consider whether the procedures
nouns can provide sufficient appropriate audit evidence to reduce
the risk of detection, and therefore the risk of audit, to an acceptably level
low.When the auditor determines that the detection risk regarding
a statement of the financial statements for the balance of an account or
class of relatively important transactions, cannot be reduced to a
acceptable low level, the auditor should express an opinion
qualified or an abstention of opinion.

Communication of weaknesses

As a result of gaining an understanding of accounting systems and

internal control and control tests, the auditor can detect weaknesses in
the systems.The auditor should inform management as soon as possible.
feasible and at an appropriate level of responsibility, regarding the weaknesses of
importance in the design or operation of accounting systems and of
internal control, that have come to the attention of the auditor. The
communication to the administration of significant weaknesses
Ordinarily it would be in writing.However, if the auditor judges that the
oral communication is appropriate, said communication would be documented in the
audit working papers. It is important to indicate in the communication that
only weaknesses that have come to the auditor's attention have been reported as
a result of the audit and that the examination has not been designed to determine
the appropriateness of internal control for management purposes.

Illustration of the interrelation of the components of audit risk

The following table shows how the acceptable level of risk may vary
detection, based on assessments of inherent risks and controls.
The auditor's assessment of risk is:

High Media Low

High The lowest Lower Media

The evaluation of
risk auditor Media Lower Media Higher
inherent
Low Media Higher The highest

The bold areas in this table refer to the risk of detection.

There is an inverse relationship between the risk of detection and the combined level of the
inherent and control risks. For example, when the inherent and
Control levels are high, acceptable detection risk levels need to be low.
to reduce the audit risk to an acceptably low level. On the other hand,
when inherent and control risks are low, an auditor may accept a
higher detection risk and still reduce the audit risk to a level
acceptably low.

International Auditing Standards

Internal Control
401. AUDIT IN AN INFORMATION SYSTEMS ENVIRONMENT
COMPUTERIZED

Introduction

The purpose of this International Audit Standard (IAS) is to establish standards and
provide guidelines on the procedures that must be followed when
conduct an audit in a computerized information systems environment
For the purposes of the ISA, a SIC environment exists when a
computer of any kind or size in the processing of information
financially important for the audit, whether that computer is
operated by the entity or by a third party.

The auditor must consider how a SIC environment affects the audit.
The overall objective and scope of an audit do not change in an IT environment. Without
embargo, the use of a computer changes processing, storage and
communication of financial information and may affect the systems of
accounting and internal control used by the entity. Therefore, a
SIC environment can affect:

• The procedures followed by an auditor to obtain an understanding

sufficient of accounting systems and internal control.

• The consideration of inherent risk and control risk through which

the auditor reaches the risk assessment.

The design and development by the auditor of control tests and procedures
appropriate nouns to fulfill the objective of the audit.

Skill and competence

The auditor should have sufficient knowledge of the ICS to plan.

direct, supervise and review the developed work. The auditor should
consider whether specialized skills in SIC are needed in a
audit.These may be needed for:

Obtain a sufficient understanding of accounting and control systems

internally affected by the SIC environment.

Determine the effect of the SIC environment on the global risk assessment and of the
risk at the account balance level and transaction class level.

• Design and perform control tests and substantive procedures

appropriate.

If specialized skills are needed, the auditor would seek the help of a
professional with such skills, who can be part of the audit staff or
be an external professional.If the use of such a professional is planned, the auditor
should obtain sufficient appropriate audit evidence that such
the work is suitable for the purposes of the audit, in accordance with ISA
Use of an expert's work.

Planning

According to NIA 'Risk Assessment and Internal Control', the auditor

should gain an understanding of accounting systems and
internal control, sufficient to plan the audit and develop an approach
what effective auditing.

When planning the portions of the audit that may be affected by the
client's SIC environment, the auditor should obtain an understanding of the
importance and complexity of SIC activities and the availability of
data for use in the audit.

When the SIC is significant, the auditor must also obtain a

understanding the SIC environment and whether it can influence the evaluation of the
inherent and control risks.The nature of risks and their characteristics
internal control in SIC environments includes the following:

· Lack of traces of the transactions.

· Uniform processing of transactions.

· Inadequate segregation of duties.

· Potential for errors and irregularities.

Risk Assessment

According to NIA 'Risk assessment and internal control', the auditor

I should conduct an evaluation of the inherent risks and controls for
the important assertions of the financial statements.

Audit Procedures

According to NIA 'Risk assessments and internal control' the auditor

you should consider the SIC environment when designing the procedures for
audit to reduce audit risk to an acceptably low level
low.

The specific objectives of the auditor's audit do not change whether the data
accounting is processed manually or by computer. However, the
methods of applying audit procedures to gather evidence can
to be influenced by computerized processing methods. The auditor
you can use manual audit procedures, audit techniques with assistance
computer, or a combination of both to obtain sufficient material from
evidence. However, in some accounting systems that use a
computer to process meaningful applications can be difficult or impossible
for the auditor to obtain certain data for inspection, investigation, or confirmation
without the help of the computer.
 International Auditing Standards
Internal Control
401. AUDIT IN AN INFORMATION SYSTEMS ENVIRONMENT
COMPUTERIZED

Introduction

The purpose of this International Audit Standard (IAS) is to establish standards and
provide guidelines on the procedures that must be followed when
conduct an audit in a computerized information systems environment
For the purposes of the NIA, a SIC environment exists when it is involved in a
computer of any type or size in information processing
financially important for the audit, whether that computer is
operated by the entity or by a third party.

The auditor must consider how a SIC environment affects the audit.

The overall objective and scope of an audit does not change in a SIC environment. Without
embargo, the use of a computer changes the processing, storage and
communication of financial information and may affect the systems of
accounting and internal control employed by the entity. Therefore, a
SIC environment can affect:

• The procedures followed by an auditor to obtain an understanding

sufficient of the accounting systems and internal control.

• The consideration of inherent risk and control risk through which

the auditor arrives at the risk assessment.

The design and development by the auditor of control tests and procedures
appropriate nouns to fulfill the objective of the audit.

Skill and competence

The auditor should have sufficient knowledge of the ICS to plan.

direct, supervise, and review the work developed. The auditor should
consider whether specialized skills in SIC are needed in a
audit.These may be needed for:

Obtain a sufficient understanding of accounting and control systems

internally affected by the SIC environment.
• Determine the effect of the SIC environment on the assessment of global risk and of
risk at the account balance level and transaction class.

• Design and perform control tests and substantive procedures

appropriate.

If specialized skills are needed, the auditor would seek assistance from a
professional with such skills, who can belong to the auditor's staff or
be an external professional.If the use of said professional is planned, the auditor
should obtain sufficient appropriate audit evidence that such
The work is suitable for the purposes of the audit, according to ISA.
Use of an expert's work

Planning

According to ISA 'Risk Assessment and Internal Control' the auditor

I should obtain an understanding of accounting systems and
internal control, sufficient to plan the audit and develop an approach
what effective auditing.

When planning the portions of the audit that may be affected by the
customer's SIC environment, the auditor should obtain an understanding of the
importance and complexity of SIC activities and availability
data for use in the audit.

When the IC is significant, the auditor must also obtain a

understanding of the SIC environment and whether it may influence the assessment of the
inherent and control risks.The nature of risks and their characteristics
internal control in SIC environments includes the following:

· Lack of traces of the transactions.

· Uniform processing of transactions.

· Inadequate segregation of duties.

· Potential for errors and irregularities.

Risk Assessment

According to NIA 'Risk Assessment and Internal Control', the auditor

should carry out an assessment of the inherent risks and controls for
the important assertions of the financial statements.

Audit Procedures

According to ISA "Risk Assessment and Internal Control" the auditor

You should consider the SIC environment when designing the procedures for
audit to reduce audit risk to an acceptably low level
low.

The specific audit objectives of the auditor do not change whether the data
Accounting is processed manually or by computer. However, the
methods of applying audit procedures to gather evidence can
to be influenced by computerized processing methods. The auditor
You can use manual audit procedures, audit techniques with assistance
computer, or a combination of both to obtain enough material from
evidence. However, in some accounting systems that use a
computer to process meaningful applications, can be difficult or impossible
for the auditor to obtain certain data for inspection, investigation, or confirmation
without the help of the computer.

International Auditing Standards

Internal Control
402. AUDIT CONSIDERATIONS RELATING TO ENTITIES THAT
SERVICE ORGANIZATIONS USE
Introduction

The purpose of this International Standard on Auditing (ISA) is to establish standards and
provide guidelines to an auditor whose client uses an organization of
service. This ISA also describes the auditor's reports of the organization
services that can be obtained by the client's auditors.

The auditor should consider how a service organization affects

the client's accounting and internal control systems, in order to
plan the audit and develop an effective audit approach.

Considerations of the Client Auditor

A service organization can establish and implement policies and procedures

that affect the accounting and internal control systems of a client. These
policies and procedures are physically and operationally separate from the
client organization. When the services provided by the organization of
services are limited to the registration and processing of customer transactions
and the client retains the authorization and maintenance of the responsibility to report
accounts, the client can implement effective policies and procedures within
of your organization. When the service organization executes the transactions of the
The client and maintains responsibility, the client may consider it necessary
depend on the policies y procedures of the organization of
service.

The auditor must determine the importance of the activities of the

customer service organization and its relevance to the audit.Al
to do this, the client's auditor would need to consider the following, as applicable,
appropriate

· Nature of the services provided by the service organization.

· Terms of the contract and relationship between the client and the service organization.

· The assertions of relative importance of the financial statements that are

affected by the use of the service organization.

· Inherent risk associated with such assertions

· Degree to which accounting systems and internal control interact.

client with the organization's service systems.

· Internal controls of the client that are applied to processed transactions

for the organization of service.

· Financial capacity and strength of the service organization, including the

possible effect of the lack of service from the service organization on the customer.

· Information about the service organization, such as that reflected in the

technical and user manuals.

· Information available on general controls and system controls

computing relevant to client applications.

The consideration of the above may lead the auditor to decide that the evaluation
the risk of control will not be affected by the organization's controls
service; if that were the case, the additional consideration of this ISA is unnecessary.

If the client's auditor concludes that the organization's activities...

service is significant for the entity and relevant for the audit, the
The auditor should obtain sufficient information to understand the systems.
accounting and internal control topics and to assess risk of
control either at a maximum level, or at a lower level if carried out
control tests.

The client's auditor can achieve an understanding of the systems of

accounting and internal control affected by the service organization for
during the reading of the auditor's report of the service organization. Furthermore,
when evaluating the control risk for the assertions affected by the
controls of the service organization systems, the client's auditor can
also use the auditor's report from the service organization.If the auditor
the client uses the auditor's report from a service organization, the
the auditor should consider making inquiries regarding the
professional competence of the auditor in the context of the assignment
specific assumed by the service organization's director.

Auditor reports of the service organization

When using the auditor's opinion of a service organization, the

the client's auditor should consider the nature and content of such
opinion.

The client's auditor should consider the scope of the work done.
by the organization's service auditor and should evaluate the usefulness and
property of the reports issued by the organization's auditor
service.

For those control tests and results that are relevant, a

the client's auditor should consider whether the nature, timing and
the scope of such tests provides sufficient appropriate evidence of
audit on the effectiveness of accounting and control systems
internal to support the evaluated level of control risk by the auditor
from the client.

The auditor of a service organization can be hired to perform

substantive procedures that are used by a client auditor. These
jobs may involve carrying out procedures agreed upon by the client
and its auditor and for the service organization and its auditor.

When a client's auditor uses an auditor's report from a

service organization, there should be no reference made in the dic-
client's auditor opinion on the organization
of service.

Taken from:Invalid URLtm