A2-Risk Assessment - Part 2 Flashcards
what is internal control?
- a process effected by those charged with governance, by management, and other personnel, designed to provide reasonable assurance about the achievement of the entity’s objectives
- 3 categories of an entity’s objectives: financial reporting, operations, and compliance
1. reliability of financial reporting (FS fraud = lying)
2. effectiveness and efficiency of operations (asset misappropriation = stealing)
3. compliance with applicable laws and regulations (corruption = cheating)
which objective is most relevant to the audit?
- The reliability of the financial reporting objective is the most relevant to the audit
what are the 5 components of internal control?
CRIME - CPA is required to understand each element of CRIME as it relates to financial reporting;
- Control environment: leadership; tone at the top
- Risk assessment: management’s identification of risk NOT auditor
- Information and communication systems: a means of recording transactions and communication responsibilities; support the identification, capture, and exchange of info in a timely and useful manner
- Monitoring: assessment of internal control performance over time
- Existing control activities: control policies and procedures
It’s a CRIME not to have a strong internal control framework
What common circumstances would raise concern regarding management’s philosophy and operating style?
- management consumed with meeting the budget
- management dominated by one person
- management compensation contingent upon the entity’s financial performance
what effect if entity has a weak control environment?
affect NET; the auditor may perform more(extent) substantive procedures (nature) as of the balance sheet date (time) rather than at interim.
what are policies and procedures of existing control activities?
- in a well-designed internal control environment, fraud and errors should be PREVENTED and/or DELETED by employees in the ordinary course of their job/business
- PAID TIPS
1. Prenumbering of documents: “your checkbook”
2. Authorization of transactions: “signed approval”
3. Independent checks to maintain asset accountability: “checks and balances” verification of work previously done by others
4. Documentation: “paper trail”
5. Timely and appropriate financial performance reviews: “analytical review” comparison of actual performance to budgets, forecasts, and prior periods; comparison of financial to nonfinancial info
6. Information processing controls: ensure transactions are valid, properly authorized, completely and accurately recorded
7. Physical controls for safeguarding assets: “security”
8. Segregation of duties: provides a cross-check the work of one individual on the work of another one.
what are the 3 common functions that need segregation of duties?
- segregation of duties is your ARC to protect against a flood of troubles
- ARC
1. Authorizing transactions
2. Record keeping or recording transactions
3. Custody of related assets
what is the purpose of internal control? and exceptions?
- prevent and or detect and quickly correct
- exceptions: collusion (involve 2 or more people) and management override and human error
what are the procedures used to obtain evidence about the design and implementation of internal controls?
- Inquiry of entity personnel
- Observation of application of controls
- Inspection of documents and reports
- Walk-throughs: assist the auditor in obtaining and understanding of the IT systems that are used process and record financial transactions
How can a walk-through be performed?
One or both of the following
1. select a single transaction and trace it through the entity’s info processing system
2. identify the key steps
A complete and accurate list of walk-thru: Inquiry, observation, inspection of relevant documentation, and reperformance of controls
what items should auditor document?
Documentation may include any item the auditor can FIND:
1. Flowchart: depicts auditor’s understanding of internal control
2. Internal control questionnaire or checklists
3. Narrative: lengthy written version of flowchart, so it’s hard to “see” weakness in internal control
4. Documentation from client: including copies of the entity’s procedures manuals and org charts
what is IT general control?
- policies and procedures relate to many applications and support the effective functioning and proper operation of the information system
- ex: password, backup/recovery system, admin rights to the network
what is IT application control?
- apply to the processing of INDIVIDUAL transaction
- ex: maintain and review accounts and trial balances, check mathematical accuracy of records
what are benefits of IT?
- ability to process large volumes of transactions and data accurately and consistently
- improve timeliness
- enhance segregation of duties, ability to monitor the performance
what are IT risks?
- potential reliance on inaccurate system
- unauthorized access to data
- unauthorized changes to data
- failure to make required changes or updates to systems
- inappropriate manual intervention
- potential loss of data
Audit should:
1. document use of programs
2. perform tests more often during the year: to ensure the system is still working accurately
what is the difference between an entity’s risk assessment and auditor’s risk assessment?
- Entity’s risk assessment concerns about managing risks that affect entity’s objectives (financial reporting, operations, and compliance)
- Auditor’s risk assessment concerns with risk that material misstatement could occur in the financial statements
How are an entity’s objectives and component of internal control linked together?
- an entity’s objectives, which are that the entity strives to achieve
- the components of internal control, which represent what is needed to achieve the objectives
what is internal control relevant to?
internal control is relevant to an entire entity, or to any of its operating units or business functions
