会协字[1996]457号
颁布日期：19961226 　实施日期：19970101 　颁布单位：中国注册会计师协会

　　Chapter 1 General provisions

　　Article 1

　　This standard is prepared in accordance with the General Independent Auditing² Standard to establish standards for Certified³ Public Accountants （“CPAs”） on the study and evaluation⁴ of an entity⁵'s internal controls in the audit¹ of financial statements， to assess audit risk， to improve audit efficiency and to ensure a high standard of professional work.

　　Article 2

　　The term “internal controls” in this standard refers to the policies and procedures formulated⁶ and implemented⁷ by an entity with a view to ensuring the efficient conduct of the business activities， safeguarding assets， preventing， detecting and correcting error and fraud， and ensuring the truthfulness⁸， legitimacy⁹ and completeness of accounting¹⁰ information.

　　Internal controls include the control environment， accounting systems and control procedures.

　　Article 3

　　The term “audit risk” in this standard refers to the possibility of the CPA expressing an inappropriate audit opinion after performing an audit， when the financial statements contain material misstatements or omissions¹². Audit risk includes inherent risk， control risk and detection risk.

　　Article 4

　　Unless otherwise specified¹³， CPAs should refer to this standard in performing audit work other than the audit of financial statements.

　　Chapter 2 General principles

　　Article 5

　　When preparing the audit plan， the CPA should study and evaluate the entity's internal controls.

　　Article 6

　　The CPA should perform compliance¹⁴ tests on any internal controls， which are intended to be relied upon， to determine the impact on the nature， timing¹⁵ and extent of the substantive¹⁶ tests.

　　Article 7

　　The CPA should maintain professional scepticism， apply professional judgement reasonably to assess the audit risk and to design and perform relevant audit procedures in order to reduce the audit risk to an acceptable level.

　　Article 8

　　The CPA should document the work carried out and the results of the study and evaluation of the internal controls and the assessment¹⁷ of the audit risk in the audit working papers.

　　Chapter 3 Internal controls

　　Article 9

　　It is the accounting responsibility of the entity's management to establish sound internal controls. The relevant internal controls should generally：

　　（1） ensure that business activities are conducted in accordance with appropriate authorization¹⁸；

　　（2） ensure that all transactions and events are promptly¹⁹ recorded at the correct amount， in the appropriate accounts and in the proper accounting period， to enable preparation of financial statements in accordance with the relevant requirements of the accounting standards；

　　（3） ensure that access to and handling of assets and records are permitted only in accordance with appropriate authorization； and

　　（4） ensure that assets recorded are reconciled with the physical assets at regular intervals²⁰.

　　Article 10

　　When determining the reliability²¹ of internal controls， the CPA should maintain professional scepticism and pay adequate attention to the following inherent limitations of internal controls：

　　（1） The design and implementation²² of internal controls are restricted by the principle of cost and benefit；

　　（2） Internal controls tend to be directed at routine business activities；

　　（3） Even perfectly²³ designed internal controls may not operate effectively due to human carelessness， distraction²⁴， mis-judgement and the misunderstanding of instructions；

　　（4） Internal controls may be circumvented²⁵ through the collusion by relevant persons with parties inside or outside the entity；

　　（5） Internal controls may be circumvented when a person responsible for exercising an internal control abuses that responsibility or submits to external pressure； and

　　（6） Internal controls may deteriorate²⁶ or become ineffective due to changes in the operating environment and the nature of the business.

　　Article 11

　　When preparing the audit plan， the CPA should understand the design and operating conditions of the entity's internal controls.

　　When determining the nature， timing and extent of the audit procedures which should be performed to understand the internal controls， the CPA should mainly consider the following factors：

　　（1） the size and business complexity²⁷ of the entity；

　　（2） the type and complexity of the entity's data processing system；

　　（3） audit materiality；

　　（4） the type of relevant internal controls；

　　（5） the documentation of relevant internal controls； and

　　（6） the result of the assessment of inherent risk.

　　Article 12

　　In understanding the internal controls， the CPA should make reasonable use of previous audit experience. With regard to significant internal controls， generally the CPA may also perform the following procedures：

　　（1） make enquiries of the entity's relevant persons and inspect the relevant internal control documentation；

　　（2） inspect the documents and records generated by the internal controls；

　　（3） observe the entity's business activities and the operating conditions of the internal controls； and

　　（4） choose certain typical transactions and events and perform walkthrough tests on them.

　　Article 13

　　The CPA should obtain and understanding of the control environment sufficient to assess the attitudes， awareness²⁸ and actions of the entity's management regarding internal controls and their importance.

　　Major factors affecting the control environment include：

　　（1） philosophy， methods and style of management；

　　（2） organisational structure and methods of assigning authority and responsibility； and

　　（3） the control system.

　　Article 14

　　The CPA should obtain an understanding of the accounting system sufficient to identify and understand：

　　（1） the major classes of transactions and activities of the entity；

　　（2） how major classes of transactions and activities are initiated²⁹；

　　（3） significant supporting documents， accounting records and items in the financial statements； and

　　（4） the accounting and financial reporting process for significant transactions and events.

　　Article 15

　　The CPA should obtain an understanding of the following major control procedures sufficient to determine the relevant audit procedures reasonably：

　　（1） the authorisation of transactions；

　　（2） the assignment of responsibility；

　　（3） the control of supporting documents and records；

　　（4） access to assets and use of records； and

　　（5） any independent checking.

　　Article 16

　　Internal audit is an important component³⁰ of the entity's control system. The CPA should consider the following factors when studying and evaluating the quality of the internal audit work to determine whether to rely on the results of the internal audit work：

　　（1） the independence of the internal auditors³¹；

　　（2） the experience and competence³² of the internal auditors；

　　（3） the nature， timing and extent of the internal audit procedures；

　　（4） the sufficiency and appropriateness of the audit evidence obtained by the internal auditors； and

　　（5） the merit placed on the internal audit work by the management.

　　Article 17

　　The CPA may use various methods such as narrative³³ descriptions， questionnaires， check lists， flow charts etc. to understand and evaluate internal controls and should include them in the audit working papers.

　　Article 18

　　The CPA should inform the entity's management of material internal control weaknesses identified during the audit. If necessary， a management letter may be issued.

　　Chapter 4 Audit risk

　　Article 19

　　In developing the overall audit plan， the CPA should assess inherent risk at the financial statement level. Inherent risk refers to the susceptibility of an account balance， or class of transactions， to material misstatements or omissions， either individually or when aggregated³⁴ with misstatements or omissions in other account balances or classes of transactions， assuming that there were no relevant internal controls.

　　Article 20

　　In developing the detailed³⁵ audit plan， the CPA should consider the impact of the assessment of inherent risk on the material account balances or classes of transactions at the assertion level， or directly assume that inherent risk is high for the assertion.

　　Article 21

　　The CPA should exercise professional judgement reasonably and consider the following factors when assessing inherent risk：

　　（1） the integrity and competence of management；

　　（2） any changes in management， especially the financial staff；

　　（3） any unusual pressures on management；

　　（4） the nature of business；

　　（5） the circumstances and factors affecting the industry in which the entity operates；

　　（6） financial statement items likely to be susceptible³⁶ to misstatements；

　　（7） the complexity of important transactions and events which might require using the work of an expert；

　　（8） the degree of estimation and judgement involved in determining account balances；

　　（9） the susceptibility of assets to loss or misappropriation；

　　（10） the occurrence of unusual or complex transactions during the accounting period， particularly near the accounting period end； and

　　（11） the susceptibility of transactions and events to omissions in the routine accounting process.

　　Article 22

　　After understanding the internal controls and assessing inherent risk， the CPA should make a preliminary assessment of control risk， at the assertion level， for each material account balance or class of transactions. Control risk refers to the possibility that a misstatement or omission¹¹ that could occur in an account balance or class of transactions， either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions， will not be prevented， detected or corrected by the internal controls.

　　Article 23

　　The CPA should assess the control risk of material account balances or classes of transactions at a high level， for some or all assertions， when one or more of the following situations occurs：

　　（1） the entity's internal controls are not effective；

　　（2） it is difficult for the CPA to assess the effectiveness of internal controls； or

　　（3） the CPA does not plan to perform compliance tests.

　　Article 24

　　When making a preliminary assessment of control risk for a financial statement assertion， the CPA should not assess the control risk at a high level when：

　　（1） relevant internal controls are likely to prevent， detect or correct material misstatements or omissions； and

　　（2） the CPA plans to perform compliance tests.

　　Article 25

　　if the CPA plans to rely on the internal controls， he should perform compliance procedures to assess the control risk. The lower the preliminary assessment of control risk， the more evidence the CPA should obtain to show that internal controls are suitably designed and operating effectively.

　　Article 26

　　The CPA may perform the following compliance procedures：

　　（1） inspection³⁷ of documents supporting transactions and events；

　　（2） enquiries about， and observation of， internal control operations which leave no audit trail； and

　　（3） reperformance of relevant internal control procedures.

　　Article 27

　　When one or more of the following situations occurs， the CPA may directly perform substantive procedures without performing compliance tests：

　　（1） the relevant internal controls do not exist；

　　（2） even though the relevant internal controls exist， the CPA， through preliminary study， discovers that the internal controls do not operate effectively； or

　　（3） compliance tests require more work than the reduction of substantive tests that would have been achieved by performing compliance tests.

　　Article 28

　　Based on the results of the compliance tests， the CPA should assess whether the design and operation of the internal controls are in line with the conclusion drawn³⁸ from the preliminary assessment of control risk. If there are discrepancies³⁹， the assessed level of control risk should be revised and the nature， timing and extent of substantive procedures should be modified accordingly.

　　Article 29

　　In a continuing engagement， the CPA may make use of the information relating to the study and evaluation of internal controls obtained in prior periods， but will need to update it.

　　Article 30

　　The CPA should understand whether the internal controls were applied⁴⁰ consistently throughout the accounting period being audited⁴¹. If there were obvious changes， the CPA should consider testing them separately.

　　Article 31

　　If compliance tests have been performed in the interim⁴² audit， the CPA， before deciding to rely entirely⁴³ on their results， should consider the following factors to obtain further audit evidence for the period between interim period end and final period end：

　　（1） the conclusion drawn from the compliance tests in the interim audit；

　　（2） the length of the remaining period after the interim audit；

　　（3） any changes in internal controls after the interim audit；

　　（4） the nature and amount of the transactions and activities which occurred after the interim audit； and

　　（5） the substantive procedures to be performed.

　　Article 32

　　Before concluding the audit， the CPA should， based on the results of substantive tests and other audit evidence， make a final assessment of the control risk and check whether it is in line with the conclusion drawn from the preliminary assessment of the risk. If not， the CPA should consider whether additional relevant audit procedures should be performed.

　　Article 33

　　As control risk and inherent risk are related， the CPA should make an overall assessment of inherent risk and control risk， and use the result as the basis for the assessment of detection risk.

　　Detection risk refers to the possibility that substantive tests will not detect a misstatement or omission that exists in an account balance or class of transactions that could be material， either individually or when aggregated with misstatements or omissions in other account balances or classes of transactions.

　　The assessment of inherent risk and control risk has a direct impact on the assessment of detection risk. For higher levels of inherent risk and control risk， the CPA should perform more detailed substantive procedures and should also consider their nature， timing and extent to reduce the detection risk to an acceptable level.

　　Article 34

　　Regardless of the result of the assessment of inherent risk and control risk， the CPA should perform substantive tests on all material account balances or classes of transactions.

　　Article 35

　　If， after performing relevant audit procedures， the CPA still believes that detection risk regarding an assertion for a material account balance or class of transactions cannot be reduced to an acceptable level， the CPA should express a qualified⁴⁴ opinion or a disclaimer of opinion.

　　Article 36

　　The internal controls in small businesses are usually weaker， resulting in higher inherent risk and control risk. The CPA should heavily or entirely rely on substantive procedures to obtain audit evidence in order to reduce the detection risk to an acceptable level.

　　Chapter 5 Supplementary⁴⁵ provisions

　　Article 37

　　The Chinese Institute of Certified Public Accountants is responsible for the interpretation⁴⁶ of this standard.

　　Article 38

　　This standard takes effect from 1 January 1997.

上一篇：独立审计具体准则第8号——错误与舞弊 下一篇：独立审计具体准则第10号——审计重要性