Читать книгу Wiley Practitioner's Guide to GAAS 2020 - Joanne M. Flood - Страница 214

On every audit, the auditor should obtain an understanding of internal control that is of sufficient depth to enable the auditor to:

 Assess the risks of material misstatement of the financial statements, whether due to error or to fraud.

 Design the nature, timing, and extent of further audit procedures.

To meet these requirements, the auditor should:

 Evaluate the design of controls that are relevant to the audit and determine whether the control—either individually or in combination—is capable of effectively preventing or detecting and correcting material misstatements.

 Determine that the control has been implemented—that is, that the control exists and that the entity is using it.

(AU-C 315.13–.14)

The auditor’s evaluation of internal control design and the determination of whether controls have been implemented are critical to the assessment of the risks of material misstatement. Remember that even if the auditor’s overall audit strategy contemplates performing only substantive procedures for all relevant assertions related to material transactions, account balances, and disclosures, the auditor still needs to evaluate the design of the client’s internal control.

NOTE: In evaluating control design, it is helpful to consider:

 Whether control objectives that are specific to the unique circumstances of the client have been considered for all relevant assertions for all significant accounts and disclosures

 Whether the control or combination of controls would—if operated as designed—meet the control objective

 Whether all controls necessary to meet the control objective are in place

NOTE: To evaluate the design and implementation of internal controls relevant to the audit, the auditor should perform procedures such as:

 Inquiry

 Observation

 Inspection of documentation

 Walk-throughs—tracing transactions through the information systems

When obtaining an understanding about the design of internal controls and determining whether those controls have been implemented, inquiry alone is not sufficient. Thus, for these purposes, the auditor should supplement inquiries with other risk assessment procedures. (AU-C 315.14)

(AU-C 315.A76)