Impact of Effective Internal Controls on Statutory Audit/External Auditor Procedures
The work impact of effective internal controls on statutory audit and external auditor procedures is a limiting case of a much broader topic. It sheds a detailed light on the effects of internal controls in business and how different types of controls affect statutory audit and external auditor procedures. It includes some vital points to understand the topic:
Difference between statutory audit and private sector audit
Internal control system involves all the policies and procedures (internal controls) adopted by the entity to assist in achieving management’s objective of ensuring, as far as practicable, the orderly and efficient conduct of business including adherence to management policies, safeguarding of assets, and the prevention and detection of fraud and error.
- Internal control system in any organization helps the management to achieve the desired objectives as stated below:
- Effectiveness and efficiency of operation
- Reliability of financial and management reporting
- Compliance with laws and regulations
- Safeguarding of assets.
(i) Streamlining audit procedures
In streamlining their procedures, auditors typically wish to reduce the expected level of assessment of control risk for the assertion under consideration. Pervasive internal controls often allow them to do so. It should be noted that the definition of a pervasive control is one that, if effective, affects other controls. Thus, the need to test the effectiveness of this single control for every relevant assertion is often obviated due to the nature of its pervasive effect. An example might be a control to restrict access to a computerized application to a specific group of employees. If an auditor is satisfied that this is an effective control, he may assess control risk for many relevant assertions as being low. Where tests of manual controls are necessary, these too can often be reduced in extent. For systems with a high level of computer processing, auditors are increasingly relying on the assessments of internal auditors and recommendations from the computer audit specialist to determine the extent, if any, to which they will test the client’s system. Any reliance on the work of others is only possible when the auditors are satisfied as to the competence and objectivity of the individuals concerned. For belief systems engagements of internal and external auditors may be fully integrated in an attempt to achieve joint or dual auditing. This is quite rare for statutory audits, but the general trend towards increased involvement of internal auditors in discussions with external auditors suggests that there is considerable potential to achieve the stated goal of the IAASB of fostering and increasing collaboration between the two sets of auditors. Dual auditing has been shown to reduce the fees of the external auditors but little is known about its effect on their assessment of control risk or the amount and type of testing that they do. Dual auditors can only assess control risk at a high level and perform little testing if they are to avoid testing the same things and duplicating each other’s work. Despite this, much can be learned from dual auditors about external auditors’ procedures in the future.
(ii) Reducing audit risk and enhancing audit quality
To accomplish a given level of audit objective, a client must be willing to accept a level of audit risk. According to Arens et al. (2012), audit risk is the risk that the auditors may unknowingly fail to modify their opinion on financial statements that are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk, with inherent and control risk having an effect on the former. Therefore, to reduce the level of audit risk, auditors should aim to decrease inherent and control risk. This can be partially achieved through a detailed understanding of a client’s internal controls, as auditors can harness knowledge of a client’s processing methods and accounting systems to identify areas where material misstatements are likely to arise. This allows auditors to focus on high-risk areas when carrying out substantive audit procedures and therefore makes the detection of material misstatements more likely. In this manner, the reliance placed upon a client’s internal controls can also serve to reduce inherent risk, as control risk and the likelihood of material misstatements occurring in relevant account balances can affect the nature, timing, and extent of substantive procedures (Silverstone, 2000). The identification of weaknesses in a client’s internal controls may also highlight areas where a client is more susceptible to errors and fraud, with material misstatements being a common symptom of such activities. Control risk can be assessed directly and if auditors are able to rely on internal controls more, assessments will be made at the maximum level due to the resulting effective and efficient audit. Hence, the overall level of control risk will be over time decreased (Ramey and Schwiesow, 1997). Therefore, through increased knowledge and reliance upon a client’s internal controls, an auditor is able to alter conditions and avoid the occurrence of adverse audit results. Not only will control and inherent risk be reduced, but it is likely that the occurrence of misstatements or undetected misstatements will decrease.
(iii) Enhancing auditor’s reliance on internal controls
There are a number of ways internal controls can enhance an auditor’s reliance on, and understanding of, the entity’s accounting system. These include: the types of internal controls documented by management, the effectiveness of the internal controls, the consistency with which they are applied, and the monitoring of the internal controls. This process is a highly relevant one, as generally the statutory audit relies on the internal controls of an entity to assess control risk. By gaining an understanding of the types and the way in which they are applied, an assessment can be made as to the likelihood of misstatements occurring. Misstatements in manual and automated systems occur when a control is not followed or is ineffective. In identifying such controls, the auditor can gain an understanding of the points in the system where misstatements are likely to occur, and thus where to focus the audit effort. Knowledge of the types and consistency of application of internal controls may also allow the auditor to reduce assessed control risk at certain stages in the system, by identifying where there are effective controls which prevent misstatements. This is known as control risk assessment, and can lead to a reduction in substantive testing in these areas, and an increase in reliance on the relevant internal controls and tests of controls. A sound understanding of an entity’s internal controls may also enable an auditor to identify controls which are preventative in nature, as opposed to those which are detective. The reliance strategy is aimed at identifying controls that prevent misstatements and relying on these as evidence that the relevant assertions are valid, thus reducing the need for further substantive testing.
