|
第一章 总则
第一条 为了规范注册会计师在会计报表审计中研究与评价被审计单位的内部控制,评估审计风险,提高审计效率,保证执业质量,根据《独立审计基本准则》,制定本准则。
第二条 本准则所称内部控制,是指被审计单位为了保证业务活动的有效进行,保护资产的安全和完整,防止、发现、纠正错误与舞弊,保证会计资料的真实、合法、完整而制定和实施的政策与程序。内部控制包括控制环境、会计系统和控制程序。
第三条 本准则所称审计风险,是指会计报表存在重大错报或漏报,而注册会计师审计后发表不恰当审计意见的可能性。审计风险包括固有风险、控制风险和检查风险。
第四条 注册会计师执行会计报表审计以外的其他审计业务,除有特定要求者外,应当参照本准则办理。
第二章 一般原则
第五条 注册会计师编制审计计划时,应当研究与评价被审计单位的内部控制。
第六条 注册会计师应当对拟信赖的内部控制进行符合性测试,据以确定对实质性测试的性质、时间和范围的影响。
第七条 注册会计师应当保持应有的职业谨慎,合理运用专业判断,对审计风险进行评估,制定并实施相应的审计程序,以将审计风险降低至可接受的水平。
第八条 注册会计师应当将研究、评价内部控制和评估审计风险的过程及结果记录于审计工作底稿。
第三章 内部控制
第九条 建立健全内部控制是被审计单位管理当局的会计责任。相关内部控制一般应当实现以下目标:
一 保证业务活动按照适当的授权进行;
二 保证所有交易和事项以正确的金额,在恰当的会计期间及时记录于适当的帐户,使会计表的编制符合会计准则的相关要求;
三 保证对资产和记录的接触、处理均经过适当的授权;
四 保证帐面资产与实存资产定期核对相符。
第十条 注册会计师在确定内部控制的可信赖程度时,应当保持应有的职业谨慎,充分关注内部控制的以下固有限制:
一 内部控制的设计和运行受制于成本与效益原则;
二 内部控制一般汉针对常规业务活动而设计;
三 即使是设计完善的内部控制,也可能因执行人员的粗心大意、精力分散、判断失误以及对指令的误解而失效;
四 内部控制可能因有关人员相互勾结、内外串通而失效;
五 内部控制可能因执行人员滥用职权或屈从于外部压力而失效;
六 内部控制可能因经营环境、业务性质的改变而削弱或失效。
第十一条 在编制审计计划时,注册会计师应当了解被审计单位内部控制的设计和运行情况。在确定了解内部控制所应实施审计程序的性质、时间和范围时,注册会计师应当主要考虑下列因素:
一 被审计单位经营规模及业务复杂程度;
二 被审计单位数据处理系统类型及复杂程度;
三 审计重要性;
四 相关内部控制类型;
五 相关内部控制的记录方式;
六 固有风险的评估结果。
第十二条 注册会计师在了解内部控制时,应当合理利用以往的审计经验。对于重要的内部控制,通常还可实施以下程序:
一 询问被审计单位有关人员,并查阅相关内部控制文件;
二 检查内部控制生成的文件和记录;
三 观察被审计单位的业务活动和内部控制的运行情况;
四 选择若干具有代表性的交易和事项进行穿行测试。
第十三条 注册会计师应当充分了解控制环境,以评价被审计单位管理当局对内部控制及其重要性的态度、认识和措施。影响控制环境的主要因素有:
一 经营管理的观念、方式和风格;
二 组织结构和权利、职责的划分方法;
三 控制系统。
第十四条 注册会计师应当充分了解会计系统,以识别和理解:
一 被审计单位交易和事项的主要类别;
二 各类主要交易和事项的发生过程;
三 重要的会计凭证、帐簿记录以及会计报表项目;
四 重大交易和事项的会计处理过程。
第十五条 注册会计师应当充分了解以下主要控制程序,以合理确定相关的审计程序:
一 交易授权;
二 职责划分;
三 凭证与记录控制;
四 资产接触与记录使用;
五 独立稽核。
第十六条 内部审计是被审计单位控制系统的重要组成部分,注册会计师应当考虑下列因素,对内部审计工作质量进行研究和评价,以确定是否利用内部审计的工作结果:
一 内部审计人员的独立性;
二 内部审计人员的经验和能力;
三 内部审计程序的性质、时间和范围;
四 内部审计人员所获取的审计证据的充分性和适当性;
五 管理当局对内部审计工作的重视程度。
第十七条 注册会计师可采用文字叙述、调查问卷、核对表、流程图等方法对内部控制进行了解和评价,并形成审计工作底稿。
第十八条 注册会计师应当将审计过程中注意到的内部控制重大缺陷,告知被审计单位管理当局。必要时,可出具管理建议书。
第四章 审计风险
第十九条 在编制总体审计计划时,注册会计师应当对会计报表整体的固有风险进行评估“固有风险是指假定不存在相关内部控制时,某一帐户或交易类别单独或连同其他帐户、交易类别产生重大错报或漏报的可能性。
第二十条 在编制具体审计计划时,注册会计师应当考虑固有风险的评估对各重要帐户或交易类别的认定所产生的影响,或者直接假定这种认定的固有风险为高水平。
第二十一条 注册会计师应当合理运用专业判断,考虑下列事项,评估固有风险:
一 管理人员的品行和能力;
二 管理人员特别是财会人员的变动情况;
三 管理人员遭受的异常压力;
四 业务性质;
五 影响被审计单位所在行业的环境因素;
六 容易产生错报的会计报表项目;
七 要利用专家工作结果予以佐证的重要交易和事项的复杂程度;
八 确定帐户金额时,要运用估计和判断的程度;
九 容易受损失或被挪用的资产;
十 会计期间内,尤其是临近会计期末发生的异常及复杂交易;
十一 在正常的会计处理程序中容易被漏记的交易和事项。
第二十二条 注册会计师了解内部控制并评估固有风险后,应当对各重要帐户或交易类别的相关认定所涉及的控制风险作出初步评估。控制风险是指某一帐户或交易类别单独或连同其他帐户、交易类别产生错报或漏报,而未能被内部控制防止、发现或纠正的可能性。
第二十三条 出现下列情况之一时,注册会计师应当将重要帐户或交易类别的部分或全部认定的控制风险评估为高水平;
一 被审计单位内部控制失效;
二 注册会计师难以对内部控制的有效性作出评估;
三 注册会计师不拟进行符合性测试。
第二十四条 注册会计师对某一会计报表认定的控制风险进行初步评估时,如果同时出现下列情况,不应将控制风险评估为高水平:
一 相关的内部控制可能防止、发现或纠正重大错报或漏报;
二 注册会计师拟进行符合性测试。
第二十五条 注册会计师如拟信赖内部控制,应当实施符合性测试程序,以评估控制风险。初步评估的控制风险水平越低,注册会计师就应获取越多的关于内部控制设计合理和运行有效的证据。
第二十六条 注册会计师可实施以下符合性测试程序:
一 检查交易和事项的凭证;
二 询问并实地观察未留下审计轨迹的内部控制的运行情况;
三 重新实施相关内部控制程序。
第二十七条 出现下列情况之一时,注册会计师可不进行符合性测试,而直接实施实质性测试程序:
一 相关内部控制不存在;
二 相关内部控制虽然存在,但注册会计师通过了解发现其并未有效运行;
三 符合性测试的工作量可能大于进行符合性测试所减少的实质性测试的工作量。
第二十八条 注册会计师应当根据符合性测试结果,评估内部控制的设计和运行是否与控制风险初步评估结论相一致,如果存在偏差,应当修正对控制风险的评估,并据以修改实质性测试程序的性质、时间和范围。
第二十九条 如持续接受委托,注册会计师可利用上期对内部控制的研究与评价资料,但应对其予以更新。
第三十条 注册会计师应当了解内部控制在所审计会计期间的运用是否一贯。如发生显著变动,应当考虑分别进行测试。
第三十一条 如期中审计已进行符合性测试,注册会计师在决定完全信赖其结果前,应当考虑以下因素,以进一步获取期中至期末的相关审计证据:
一 期中审计符合性测试的结论;
二 期中审计后剩余期间的长短;
三 期中审计后内部控制的变动情况;
四 期中审计后发生的交易和事项的性质及金额;
五 拟实施的实质性测试程序。
第三十二条 终结审计之前,注册会计师应当根据实质性测试的结果和其他审计证据,对控制风险进行最终评估,并检查其是否与控制风险的初步评估结论相一致。如不一致,应当考虑是否追加相应的审计程序。
第三十三条 由于控制风险与固有风险相互联系,注册会计师应当对固有风险与控制风险进行综合评估,并据以作为检查风险的评估基础。检查风险是指某一帐户或交易类别单独或连同其他帐户、交易类别产生重大错报或漏报,而未能被实质性测试发现的可能性。固有风险及控制风险的评估对检查风险有直接影响,固有风险和控制风险的水平越高,注册会计师就应实施越详细的实质性测试程序,并著重考虑其性质、时间和范围,以将检查风险降低至可接受的水平。
第三十四条 不论固有风险和控制风险的评估结果如何,注册会计师均应对各重要帐户或交易类别进行实质性测试。
第三十五条 如经实施有关审计程序,注册会计师仍认为某一重要帐户或交易类别认定的检查风险不能降低至可接受的水平,应当发表保留意见或拒绝表示意见。
第三十六条 小规模企业的内部控制通常比较薄弱,固有风险和控制风险较高,注册会计师应当主要或全部依赖实质性测试程序获取审计证据,以将检查风险降低至可接受的水平。
第五章 附 则
第三十七条 本准则由中国注册会计师协会负责解释。
第三十八条 本准则自l997年1月1日起施行。
SPECIFIC INDEPENDENT AUDITING STANDARD NO.9——INTERNAL CONTROLS AND AUDIT RISK
Chapter 1 General provisions
Article 1
This standard is prepared in accordance with the General Independent Auditing Standard to establish standards for Certified Public Accountants (“CPAs”) on the study and evaluation of an entity's internal controls in the audit of financial statements, to assess audit risk, to improve audit efficiency and to ensure a high standard of professional work.
Article 2
The term “internal controls” in this standard refers to the policies and procedures formulated and implemented by an entity with a view to ensuring the efficient conduct of the business activities, safeguarding assets, preventing, detecting and correcting error and fraud, and ensuring the truthfulness, legitimacy and completeness of accounting information.
Internal controls include the control environment, accounting systems and control procedures.
Article 3
The term “audit risk” in this standard refers to the possibility of the CPA expressing an inappropriate audit opinion after performing an audit, when the financial statements contain material misstatements or omissions. Audit risk includes inherent risk, control risk and detection risk.
Article 4
Unless otherwise specified, CPAs should refer to this standard in performing audit work other than the audit of financial statements.
Chapter 2 General principles
Article 5
When preparing the audit plan, the CPA should study and evaluate the entity's internal controls.
Article 6
The CPA should perform compliance tests on any internal controls, which are intended to be relied upon, to determine the impact on the nature, timing and extent of the substantive tests.
Article 7
The CPA should maintain professional scepticism, apply professional judgement reasonably to assess the audit risk and to design and perform relevant audit procedures in order to reduce the audit risk to an acceptable level.
Article 8
The CPA should document the work carried out and the results of the study and evaluation of the internal controls and the assessment of the audit risk in the audit working papers.
Chapter 3 Internal controls
Article 9
It is the accounting responsibility of the entity's management to establish sound internal controls. The relevant internal controls should generally:
(1) ensure that business activities are conducted in accordance with appropriate authorization;
(2) ensure that all transactions and events are promptly recorded at the correct amount, in the appropriate accounts and in the proper accounting period, to enable preparation of financial statements in accordance with the relevant requirements of the accounting standards;
(3) ensure that access to and handling of assets and records are permitted only in accordance with appropriate authorization; and
(4) ensure that assets recorded are reconciled with the physical assets at regular intervals.
Article 10
When determining the reliability of internal controls, the CPA should maintain professional scepticism and pay adequate attention to the following inherent limitations of internal controls:
(1) The design and implementation of internal controls are restricted by the principle of cost and benefit;
(2) Internal controls tend to be directed at routine business activities;
(3) Even perfectly designed internal controls may not operate effectively due to human carelessness, distraction, mis-judgement and the misunderstanding of instructions;
(4) Internal controls may be circumvented through the collusion by relevant persons with parties inside or outside the entity;
(5) Internal controls may be circumvented when a person responsible
for exercising an internal control abuses that responsibility or submits to external pressure; and
(6) Internal controls may deteriorate or become ineffective due to changes in the operating environment and the nature of the business.
Article 11
When preparing the audit plan, the CPA should understand the design and operating conditions of the entity's internal controls.
When determining the nature, timing and extent of the audit procedures which should be performed to understand the internal controls, the CPA should mainly consider the following factors:
(1) the size and business complexity of the entity;
(2) the type and complexity of the entity's data processing system;
(3) audit materiality;
(4) the type of relevant internal controls;
(5) the documentation of relevant internal controls; and
(6) the result of the assessment of inherent risk.
Article 12
In understanding the internal controls, the CPA should make reasonable use of previous audit experience. With regard to significant internal controls, generally the CPA may also perform the following procedures:
(1) make enquiries of the entity's relevant persons and inspect the relevant internal control documentation;
(2) inspect the documents and records generated by the internal controls;
(3) observe the entity's business activities and the operating conditions of the internal controls; and
(4) choose certain typical transactions and events and perform walkthrough tests on them.
Article 13
The CPA should obtain and understanding of the control environment sufficient to assess the attitudes, awareness and actions of the entity's management regarding internal controls and their importance.
Major factors affecting the control environment include:
(1) philosophy, methods and style of management;
(2) organisational structure and methods of assigning authority and responsibility; and
(3) the control system.
Article 14
The CPA should obtain an understanding of the accounting system sufficient to identify and understand:
(1) the major classes of transactions and activities of the entity;
(2) how major classes of transactions and activities are initiated;
(3) significant supporting documents, accounting records and items in the financial statements; and
(4) the accounting and financial reporting process for significant transactions and events.
Article 15
The CPA should obtain an understanding of the following major control procedures sufficient to determine the relevant audit procedures reasonably:
(1) the authorisation of transactions;
(2) the assignment of responsibility;
(3) the control of supporting documents and records;
(4) access to assets and use of records; and
(5) any independent checking.
Article 16
Internal audit is an important component of the entity's control system. The CPA should consider the following factors when studying and evaluating the quality of the internal audit work to determine whether to rely on the results of the internal audit work:
(1) the independence of the internal auditors;
(2) the experience and competence of the internal auditors;
(3) the nature, timing and extent of the internal audit procedures;
(4) the sufficiency and appropriateness of the audit evidence obtained by the internal auditors; and
(5) the merit placed on the internal audit work by the management.
Article 17
The CPA may use various methods such as narrative descriptions, questionnaires, check lists, flow charts etc. to understand and evaluate internal controls and should include them in the audit working papers.
Article 18
The CPA should inform the entity's management of material internal control weaknesses identified during the audit. If necessary, a management letter may be issued.
Chapter 4 Audit risk
Article 19
In developing the overall audit plan, the CPA should assess inherent risk at the financial statement level. Inherent risk refers to the susceptibility of an account balance, or class of transactions, to material misstatements or omissions, either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions, assuming that there were no relevant internal controls.
Article 20
In developing the detailed audit plan, the CPA should consider the impact of the assessment of inherent risk on the material account balances or classes of transactions at the assertion level, or directly assume that inherent risk is high for the assertion.
Article 21
The CPA should exercise professional judgement reasonably and consider the following factors when assessing inherent risk:
(1) the integrity and competence of management;
(2) any changes in management, especially the financial staff;
(3) any unusual pressures on management;
(4) the nature of business;
(5) the circumstances and factors affecting the industry in which the entity operates;
(6) financial statement items likely to be susceptible to misstatements;
(7) the complexity of important transactions and events which might require using the work of an expert;
(8) the degree of estimation and judgement involved in determining account balances;
(9) the susceptibility of assets to loss or misappropriation;
(10) the occurrence of unusual or complex transactions during the accounting period, particularly near the accounting period end; and
(11) the susceptibility of transactions and events to omissions in the routine accounting process.
Article 22
After understanding the internal controls and assessing inherent risk, the CPA should make a preliminary assessment of control risk, at the assertion level, for each material account balance or class of transactions. Control risk refers to the possibility that a misstatement or omission that could occur in an account balance or class of transactions, either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions, will not be prevented, detected or corrected by the internal controls.
Article 23
The CPA should assess the control risk of material account balances or classes of transactions at a high level, for some or all assertions, when one or more of the following situations occurs:
(1) the entity's internal controls are not effective;
(2) it is difficult for the CPA to assess the effectiveness of internal controls; or
(3) the CPA does not plan to perform compliance tests.
Article 24
When making a preliminary assessment of control risk for a financial statement assertion, the CPA should not assess the control risk at a high level when:
(1) relevant internal controls are likely to prevent, detect or correct material misstatements or omissions; and
(2) the CPA plans to perform compliance tests.
Article 25
if the CPA plans to rely on the internal controls, he should perform compliance procedures to assess the control risk. The lower the preliminary assessment of control risk, the more evidence the CPA should obtain to show that internal controls are suitably designed and operating effectively.
Article 26
The CPA may perform the following compliance procedures:
(1) inspection of documents supporting transactions and events;
(2) enquiries about, and observation of, internal control operations which leave no audit trail; and
(3) reperformance of relevant internal control procedures.
Article 27
When one or more of the following situations occurs, the CPA may directly perform substantive procedures without performing compliance tests:
(1) the relevant internal controls do not exist;
(2) even though the relevant internal controls exist, the CPA, through preliminary study, discovers that the internal controls do not operate effectively; or
(3) compliance tests require more work than the reduction of substantive tests that would have been achieved by performing compliance tests.
Article 28
Based on the results of the compliance tests, the CPA should assess whether the design and operation of the internal controls are in line with the conclusion drawn from the preliminary assessment of control risk. If there are discrepancies, the assessed level of control risk should be revised and the nature, timing and extent of substantive procedures should be modified accordingly.
Article 29
In a continuing engagement, the CPA may make use of the information relating to the study and evaluation of internal controls obtained in prior periods, but will need to update it.
Article 30
The CPA should understand whether the internal controls were applied consistently throughout the accounting period being audited. If there were obvious changes, the CPA should consider testing them separately.
Article 31
If compliance tests have been performed in the interim audit, the CPA, before deciding to rely entirely on their results, should consider the following factors to obtain further audit evidence for the period between interim period end and final period end:
(1) the conclusion drawn from the compliance tests in the interim audit;
(2) the length of the remaining period after the interim audit;
(3) any changes in internal controls after the interim audit;
(4) the nature and amount of the transactions and activities which occurred after the interim audit; and
(5) the substantive procedures to be performed.
Article 32
Before concluding the audit, the CPA should, based on the results of substantive tests and other audit evidence, make a final assessment of the control risk and check whether it is in line with the conclusion drawn from the preliminary assessment of the risk. If not, the CPA should consider whether additional relevant audit procedures should be performed.
Article 33
As control risk and inherent risk are related, the CPA should make an overall assessment of inherent risk and control risk, and use the result as the basis for the assessment of detection risk.
Detection risk refers to the possibility that substantive tests will not detect a misstatement or omission that exists in an account balance or class of transactions that could be material, either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions.
The assessment of inherent risk and control risk has a direct impact on the assessment of detection risk. For higher levels of inherent risk and control risk, the CPA should perform more detailed substantive procedures and should also consider their nature, timing and extent to reduce the detection risk to an acceptable level.
Article 34
Regardless of the result of the assessment of inherent risk and control risk, the CPA should perform substantive tests on all material account balances or classes of transactions.
Article 35
If, after performing relevant audit procedures, the CPA still believes that detection risk regarding an assertion for a material account balance or class of transactions cannot be reduced to an acceptable level, the CPA should express a qualified opinion or a disclaimer of opinion.
Article 36
The internal controls in small businesses are usually weaker, resulting in higher inherent risk and control risk. The CPA should heavily or entirely rely on substantive procedures to obtain audit evidence in order to reduce the detection risk to an acceptable level.
Chapter 5 Supplementary provisions
Article 37
The Chinese Institute of Certified Public Accountants is responsible for the interpretation of this standard.
Article 38
This standard takes effect from 1 January 1997
注:英文版来源,http://www.eduzhai.net/ 
|
