The auditor's goal is to report to those charged with governance and management any flaws in internal control that the auditor discovered during the audit and that, in the auditor's professional opinion, are important enough to warrant their attention. When identifying and assessing the risks of material misstatement, the auditor must have a thorough understanding of the internal controls that are relevant to the audit. In making those risk assessments, the auditor considers internal control in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of internal control. Internal control deficiencies may be discovered by the auditor not only during the risk assessment process but also at any other stage of the audit. This ISA (UK) defines which detected problems the auditor must notify to those charged with governance and management.
The
auditor may examine the following factors when deciding whether a defect in
internal control or a combination of failures constitutes a substantial
deficiency.
§ The possibility of major misstatements while
preparing the financial statements in the future as a result of internal control
weaknesses.
§ The associated asset's or liability's
susceptibility to loss or fraud.
§ Estimated amounts, such as fair value
accounting estimates, are prone to subjectivity and complexity.
§ The amounts on the financial statement
that are vulnerable to flaws.
§ The amount of activity in the account
balance or class of transactions exposed to the shortfall or deficiencies that
have occurred or could occur.
§ The value of controls in the financial
reporting process, such as:
ü
General
monitoring controls (such as oversight of management).
ü
Maintains
control over fraud prevention and detection.
ü
Has
authority over the selection and application of major accounting policies.
ü
Maintains
control over major transactions involving associated parties.
ü
Has
authority over large transactions that occur outside of the normal course of
business.
ü
Period-end
financial reporting process controls (such as non-recurring journal entry
controls).
§ The reason for the exceptions found as a
result of control flaws, as well as the frequency with which they occur.
§ The interaction of the weakness with
other internal control problems.
Practice:
Internal
control problems that have been identified may call into doubt management's
integrity or competence. For example, there could be proof of management fraud
or purposeful non-compliance with rules and regulations, or management could
show an incapacity to oversee the preparation of the proper financial statements,
raising questions about management's competency. As a result, it may not be
acceptable to inform management about such deficiencies immediately. When an
auditor discovers or suspects fraud involving management, ISA (UK) 240
establishes requirements and provides guidance on how to communicate with those
charged with governance.
Reference:
https://bit.ly/35NC6U9