Assessing Risk & Developing Planned Response (25-35%) Flashcards
What should the auditor do when developing an overall audit strategy?
- identify characteristics of audit that define its scope
- assess reporting objectives in order to plan timing of audit and nature of communications required
- decide what factors are significant in directing audit team
- analyze results of preliminary procedures
- assess nature, timing, and extent of resources necessary to perform engagement
What does developing a detailed engagement plan involve?
- obtaining understanding of entity & its environment
- doing a risk assessment
- if applicable, done while comparing & contrasting to PY’s engagement
point of audit planning is to plan the audit so that it will be performed effectively
engagement partner and other key members of audit team should be the ones involved in planning
What are the preliminary engagement activities?
- evaluate any QC (quality control) issues that could affect client acceptance
- evaluate any potential independence issues
- determine if audit will require work of a specialist
- audit documentation, including:
- overall audit strategy
- audit programs
- any major changes made to overall strategy/audit programs during audit, and reasons for such changes
What is materiality?
an amount that if missing or misstated on the FS, would likely lead to a reasonable person to be influenced to make a different decision than if the amount had been corrected
big enough to matter
- should be documented at FS level
- should document any revisions during audit
- for specific transactions or for account balances
What is audit risk?
risk or probability that auditor expresses clean opinion when there is actually a material misstatement in FS
reasonable assurance is a high level of assurance, which in turn provides a low level of audit risk
What are the 3 elements of the Audit Risk Model?
- IR (inherent risk)
- CR (control risk)
- DR (detection risk)
Audit Risk = IR x CR x DR
auditor assess inherent risk and control risk because it affects the level of detection risk that auditor can accept
*IR x CR = RMM (risk of material misstatement) - assessed by auditor
What are Analytical Procedures and what are 3 ways they are used?
evaluations of financial information based on relationships among both financial data and non-financial data
can involve trends, comparing CY to PY, ratios, etc.
analytics used in 3 ways:
- in planning stage for risk assessment (required)
- as substantive procedure (not required)
- as a final review (required)
How does fraud play a role in auditing?
an audit provides reasonable assurance that fraud will be detected - may not be able to detect
professional skepticism - have a questioning mind and a critical assessment of audit evidence - do not assume fraud is happening, but question assertions made by management
What are the types of fraud?
- fraudulent reporting
- pressure to meet expectations or requirements (earnings projections, debt covenants, financing agreements)
- misappropriation of assets
- pressure on EEs such as personal financial problems
- low EE morale or attitude of the company owes me or I am underpaid
- if assets are easy to access, such as EEs that have access to cash
What is involved in Management Override of Internal Controls?
is one of the biggest risk factors for fraud
examples:
- pushing through a transaction that does not have a real business purpose
- unauthorized journal entry
- putting pressure on an EE to make JE they would not normally make
procedures would include:
- examining AJEs
- especially JEs close to beg & end of reporting periods
- evaluate estimation for bias
- examine authorization for unusual transactions
How should the communication work if fraud is found?
if misstatement is material - auditor informs those charged with governance whether senior management is/is not involved in the fraud
if misstatement is not material - auditor informs appropriate level of management (one level above where fraud occurred)
When does an auditor report fraud to an outside party?
- when subpoena has been issued
- when SEC (public) client is changing auditors
- as required by GAS - Government Auditing Standards
- when auditor has been authorized to communicate with preceding auditor
What are the EXTERNAL factors to gaining an understanding of entity and its environment?
- INDUSTRY factors (market, competition, demand, seasonal activity)
- REGULATORY factors (accounting practices, frameworks, taxation, governmental policies, environmental regulations)
- ECONOMIC CONDITIONS (interest rates, financing, inflation)
- TECHNOLOGY factors
What are the INTERNAL factors to gaining an understanding of entity and its environment?
- nature of operations
- ownership & governance structure
- type of investments entity is making
- how entity is structured & financed
- how entity selects accounting policies & if appropriate to its industry
- objectives & strategies & related business risks involved
- IT systems infrastructure (ERP, cloud computing setup, custom developed)
- any significant business procedures and/or data flows that directly impact FS
What is involved in obtaining an understanding of internal controls?
EVALUATING the DESIGN of the control and determining whether the control has been implemented
auditor performs WALK-THROUGHS of key controls to verify controls have been implemented
auditor should FOCUS on SUBSTANCE of procedures (are they working & effective?) INSTEAD of their FORM - management might have appropriate controls on paper, but might not be enforced
sometimes a FLOWCHART is created/documented to show auditors understanding of system
What happens if the auditor decides to rely on internal controls? If decides to not rely on internal controls?
to rely - assessing control risk below max:
reduces substantive procedures, auditor will perform tests of controls to make sure design effectiveness of controls is also working like they are supposed to (operating effectiveness)
not to rely - assessing control risk at max:
audit plan will be wholly substantive, which means auditor will test the account through substantive procedures and will not rely on internal controls
What are the 5 elements of Internal Control?
CRIME
- (E) - CONTROL ENVIRONMENT (policies & procedures to establish overall control of organization - tone at the top)
- (R) - RISK ASSESSMENT (policies to identify & analyze relevant risks to be managed)
- (C) - CONTROL ACTIVITIES (policies & procedures so that management’s objectives will be achieved, includes Segregation of duties, Authorization, and Physical controls - SAP)
- (I) - INFORMATION & COMMUNICATION systems (policies & procedures to identify/capture/exchange relevant info so that EEs can meet their responsibilities in timely manner)
- (M) - MONITORING (policies & procedures to measure effectiveness of internal controls and time goes on)
What are Risk Assessment Procedures?
what the auditor does to assess the risk of material misstatement
- inquires of management and others
- observation & inspection of documents
- analytical planning procedures
- review of information from prior periods
- audit team discussion about risks identified - discuss how risks affect specific areas of the audit
What is involved in performing a walkthrough?
standard procedure to make sure auditor understands flow of transactions and can document it (part of gaining an understanding, and is not a test of controls)
auditor selects few transactions and traces them through client’s accounting system
What are certain things that the audit team is required to document?
- audit team discussion about RMM (risk of material misstatement) & key elements about entity, its environment, etc.
- assessment of RMM at FS level & at relevant assertion level
- identified significant risks & related controls the auditor obtained an understanding of (walkthroughs)
With regards to Internal Controls, what is the auditor not required to do?
- perform test of controls (but can if necessary)
- search for significant deficiencies (but they may find them)
- determine whether controls are suitably designed to prevent or detect material misstatements (auditor does this, but not to all controls, just related to significant assertions/accounts)
The 3 main types of tasks that should be separated for segregation of duties include?
CAR or AAA
- Access (Custody) such as custody of the pre-numbered sales invoices or the goods being handled by the shipping department
- Authorization (execution) such as granting credit
- Accounting (Record keeping) such as entering customers order form & dealing with receivables & collections
What are physical controls and authorizations that should be applied?
PHYSICIAL CONTROLS:
- computer passwords & different account types within system with different levels of permissions
- custody of cash receipts/inventory should be handled by EEs without access to record keeping
AUTHORIZATIONS:
- transactions should be authorized
- AJEs should be reviewed & approved by management
What are reviews and information processing that should be applied?
REVIEW:
- monthly statements should be sent to customers
- related documents such as sales invoice, sales order form, and shipping documents should be compared
- cutoff should be verified to make sure transactions have been recorded in proper period
INFORMATION PROCESSING:
- focus on entity’s records regarding audit trail
- all key documents should be pre-numbered and sequence should be accounted for
- aged trial balance should be reconciled to GL periodically
What are internal control objectives for receipt of cash?
- when cash/checks received, posted to a remittance log (listing of all cash receipts)
- transaction is also posted in cash receipts journal and all cash receipts will be posted to that month’s receipts in the general ledger
- different EEs should open the mail, do accounting activities, prepare deposits of checks, and reconcile bank accounts
- each cash receipt should be listed immediately when mail is opened (best is to use bank lockbox system)
- ERs will bond EEs that handle cash receipts (insures company against loss from illegal acts by EEs)
- lapping = when cash received from customer is stolen and shortage is hidden by crediting first customers account with cash received from a second customer - prevented by 2 different people receiving cash & posting payments received to AR ledger
What are internal control procedures for expenses/disbursements?
- purchasing department makes purchases using pre-numbered purchase orders
- AR department takes possession of deliveries
- AP department handles accounting function & approves payments
- only designated EEs able to make purchases for company
- checks require dual signatures
- both receipts and disbursements bank reconciliations should be prepared on a timely basis
- all key documents pre-numbered and sequence should be accounted for
- supporting documents such as invoices cancelled as paid as soon as they are paid
What are internal control procedures for payroll?
- EE timecards/timesheets taken and prepared/recorded in payroll journal (supervisor approval)
- checks given to EEs & periods payroll is posted to GL
- HR keeps records containing pay rates/personnel files
- treasury issues checks, signs them & distributes them
- payroll department calculates payroll & does record-keeping each period
What are the 2 main categories of IT Controls?
- GENERAL controls (widespread/pervasive)
- APPLICATION controls (specific to)
What are the policies and procedures under the General Controls of IT Controls?
- controls over data & network operations
- software acquisition
- access security
- physical security of assets (access to records)
- authorization to computer programs/data
- file backup & disaster recovery plan
What are the policies and procedures under the Application Controls of IT Controls?
1) INPUT CONTROLS (meant to reduce mistakes when data is entered into system):
- BATCH TOTALS (totals that actually mean something - total of cash received that day)
- HASH TOTALS (totals with no dollar meaning, but can be used to check for mistakes - employee ID #s being added up)
- RECORD COUNT (keeps track of # of records processed to determine that right # of records have been accounted for)
2) LOGIC CHECKS:
- LIMIT TESTS (system would not accept 300 hours worked in one week)
- VALIDITY CHECKS (limit certain input to only valid responses - phone number field: letters, no letters)
- MISSING DATA CHECKS (input fields required & wont let user move on until required entered)
3) PROCESSING CHECKS:
- CHECKPOINTS (for long processes - if process crashes, entire process does not have to be re-executed)
- LIMIT ON PROCESSING TIME (if process takes longer than certain limit, process shuts down, assumes error occurred)
What are the types of audit software for evidence gathering?
- GENERALIZED software (out of the box - general functions)
- CUSTOMIZED software (program created to access/use - more expensive if developed for specific clients individually)
- DATA MINING software (commercial - provides features for doing substantive analytics)
- when client processes most of its data in electronic form, auditor considers using an ‘EMBEDDED AUDIT MODULE’ - computer program inserted into clients system which selects transactions for further review by auditor
What are Tests of Controls Procedures when IT Controls are Internal?
- TEST DATA (put dummy transactions through clients system that contain known errors to see if system catches errors)
- INTEGRATED TEST FACILITY (creating dummy division within clients system & running dummy data alongside clients real data)
- PARALLEL SIMULATION (processing clients data on auditors software to compare between outputs)
- TAGGING (tags a transaction in order to follow it through clients system)
What are the differences between SOC1 and SOC2 engagements (System & Organization Controls) for Service Organizations?
SOC1:
service organizations that handles financial information for clients
SOC2:
based on a framework to help service organizations demonstrate their cloud & data center security controls. report is based on Trust Services Criteria.
What are the Trust Services Criteria categories for the SOC2 (System & Organization Controls) engagement?
SACPIP
- SECURITY (system/data to be protected against unauthorized access)
- AVAILABILITY (system/date to be available for use/operation)
- CONFIDENTIALITY (information designated as confidential to have appropriate protections)
- PROCESSING INTEGRITY (system/data processing must be timely/accurate/authorized)
- PRIVACY (any personal information collected to be used/retained/disclosed/disposed of appropriately)
What is considered a Service Organization?
outsourcing their payroll company (ADP) - auditor to gain understanding of services provided by service organization & the effect on client’s internal controls
What are the Type 1 and Type 2 Service Organization Reports (SOC1, SOC2)? and what do these reports cover?
1 -
prepared by auditor - provide description of service organization’s system and their internal controls
- covers service organizations system & design of controls
- report will include a disclaimer of opinion about operating effectiveness of controls
- covers service organizations system, design of controls & operating effectiveness of controls
- report provides higher level of assurance than #1
What are some impacts of risk at the FS level?
- CONTROL ENVIRONMENT CONSIDERED INEFFECTIVE - may require overall response by auditor - assigning more experienced staff to audit, using specialists, using more unpredictable audit procedures
- SUBSTANTIVE PROCEDURES ALONE WOULD NOT YIELD APPROPRIATE AUDIT EVIDENCE - auditor to use combined approach & use tests of controls to test operating effectiveness of controls in addition to substantive tests
- SIGNIFICANT CONCERNS ABOUT RMM (risk of material misstatement due to integrity of management or poor control environment) - may raise doubts about ability to audit FS - consider withdrawing
- risk assessment can change as audit goes on
How is the assessed level of RMM (risk of material misstatement) used? and what are steps after that?
assessed level of RMM used to determine acceptable level of DR (detection risk) for FS assertions (RMM is highest in transactions that require significant judgement & lowest in routine transactions)
then auditor uses acceptable level of DR to determine nature & extent of audit procedures to use
significant transactions - will always be some substantive procedures performed
as risks identified, auditor determines if relate to specific assertions or FS as a whole, then auditor identifies controls related to risks & specific assertions
may not be able to gather sufficient audit evidence from substantive procedures alone & would need to do test of controls in addition
What happens if the auditor wants to lower the acceptable level of Audit Risk?
changes to substantive procedures:
- increasing sample size
- expanding substantive procedures
- using independent parties for testing such as confirmations
*general idea - when high risk of misstatement identified - effectiveness & reliability of substantive testing should be increased - more reliable forms of testing are used
How is Materiality set for FS?
materiality set for FS as a whole is a set amount
can be calculated in different ways - common approaches:
- 1 - 2% of total assets
- 5 - 10% of net profit
- 1% of equity
*some firms have their own formulas/worksheets for determining materiality
What is Performance Materiality?
amount lower than materiality for FS - set lower so that it lowers the risk of uncorrected misstatement + undetected misstatements
can be set in different ways - simple or complex
- 10% of materiality
- 5% or a certain percentage of a transaction class/account balance
*will always be a fraction of materiality
What is a TM (Tolerable Misstatement)?
amount determined by auditor, that if an error or misstatement is found, where the difference from correct amount is below the TM, it will not impact the fair presentation of the FS
What are items for auditor to consider when using Internal Audit Function as part of the Audit?
external auditor is considering using internal auditors to help with audit
- COMPETENCE of internal auditors
- OBJECTIVITY of internal auditors
- internal auditors use of a systematic & disciplined approach
if competent & objective - can be used to perform tests of internal controls & substantive tests
final conclusions must be made by external auditor - cannot allow judgement from internal auditors on materiality of misstatements or evaluation of accounting estimates
What are ways external auditor can access internal auditors competence and objectivity?
COMPETENCE: (Cs and Es)
obtain information about Educational background, professional Experience, and professional Certifications
OBJECTIVITY: (Os)
determine Organizational level to which internal auditors report
What are items for auditor to consider when using a Specialist to help with the Audit?
external auditor is considering using specialist to help with audit - expertise needed outside of accounting/auditing that is necessary for gathering appropriate & sufficient audit evidence
- COMPTENENCE of specialist
- OBJECTIVITY of specialist
should be an agreement in writing that details what services will be performed, requirements of work needed, and any expected communications as a result of the specialist’s work
If auditor wants to use component auditor’s work in audit report, how do they report it?
component auditor’s FS need to be prepared using same framework as the group, and needs to have performed their audit according to applicable standards
auditor can decide to assume responsibility for component auditor’s work
- if they do, they will not reference their work in audit report at all
- if they do not, they will name them in their audit report (must obtain permission to do so)
What are some items that could be a possible sign of noncompliance with laws & regulations?
- irregular cash payments
- sudden discontinued business segment
- investigations by government agency
- unauthorized transactions
- unexplained payments to government employees
How do accounting estimates play a part in an audit?
big area of attention for auditor - more complex the estimate, more room for material misstatement - evaluate whether reasonable in circumstances
FV estimates not traded on an active market are complex estimates that can leave room for error
What are the main things an auditor should do when evaluating estimates? what are specific procedures auditor might perform for estimates?
- determine whether management has applied rules of reporting framework correctly
- been consistent in their methods for making estimates
- evaluate management’s assumptions used to make estimate
- evaluate methods of measurement used to make estimate
- perform tests of controls on controls used to make estimate, in addition to substantive testing
What are procedures to identify related party transactions?
- inquiry of management or requesting a list of all related parties to entity
- reviewing board minutes
- inspecting large, unusual transactions (large note payable with a 1% interest rate)
- reviewing confirmations on large balances
What do each of the 3 elements of the Audit Risk Model mean?
Audit Risk = risk that material errors or fraud exists
IR (inherent risk) = certain items more susceptible to risk
CR (control risk) = misstatement may not be prevented
DR (detection risk) = material misstatement may not be detected
AR = IR x CR x DR
*IR and CR exist independently of audit
What do test of account balances include? What do tests of transaction classes include?
ACCOUNT BALANCES:
- many transactions
- small dollar amounts
TRANSACTION CLASSES:
- few transactions
- large dollar amounts
What are some examples of Inherent Limitations of Internal Control?
CHOCO
- collusion
- human error
- override by management
- competence
- obsolescence
What are the main positions that are forms of segregations of duties for the IT department?
SAP-OLS
- Systems Analyst (design the system)
- Programmer (develop code for system)
- Operator (run system)
- Librarian (keeps track of data for system)
- Security (safeguards system)
What are the built-in controls within an IT system?
- PARITY CHECK (transmission of information between system & hardware components)
- ECHO CHECK (transmission of information over phone lines)
- DIAGNOSTIC ROUTINES (checks internal operations of hardware components)
- BOUNDARY PROTECTION (allows multiple jobs running simultaneously)
- SOURCE CODE COMPARISON PROGRAM (tests for unauthorized program changes - compares compiled code to original program)
- SECURE PASSWORD (8 characters, special characters, mixture of upper & lower case, unique, changed regularly)
- one disadvantage - computer data files vs. manual data files - easier for unauthorized person to access & alter
What is the purpose of Tests of Controls? What are the elements within that help to obtain an understanding of Internal Controls?
evaluate effectiveness of design & operation of internal controls
- inquiries
- inspection
- observation
- walkthroughs
- reperformance
What is the purpose of Substantive Tests? What are the categories within?
detect material misstatements in transaction classes, account balances, and disclosure components of the FS
- tests of details (more extensive)
- substantive analytical procedures
*can be dual purpose tests (tests of transactions & tests of controls)
What are the steps in applying Materiality?
1 - establish preliminary judgement about overall materiality
2 - allocate preliminary judgement about materiality to account balances or class of transactions
3 - estimate the aggregated misstatements & compare to materiality & tolerable misstatements
Explain step #1 of the steps in applying Materiality (establish preliminary judgement about overall materiality)?
- quantitative base (total assets, revenues, income before taxes)
- % of net income, revenue, assets (before taxes) or common = 3-5% of net income
- qualitative base (1st year engagement, control weaknesses, management turnover, high market pressures, high fraud risk, abnormal bankruptcy risk)
- when being more careful (1st year engagement), materiality would be lower
Explain step #2 of the steps in applying Materiality (allocate preliminary judgement about materiality to account balances or class of transactions)?
This is called tolerable misstatement or performance materiality
helps the auditor evaluate if individual account balances are misstated (50-75% of overall)
Explain step #3 of the steps in applying Materiality (estimate the aggregated misstatements & compare to materiality & tolerable misstatements)?
aggregated misstatements (account level or FS level): - FACTUAL misstatements (amount of misstatements is known)
- JUDGEMENTAL misstatements (based on difference between auditor & management regarding accounting estimates)
- PROJECTED misstatements (based on sample data)
- misstatements CARRIED FORWARD from prior periods and affect future years (ex: inventory)
For step #3 of the steps in applying Materiality, how do you compare the aggregated misstatements to the tolerable misstatements (at account level & FS level)?
ACCOUNT LEVEL (done during fieldwork) - compare aggregated misstatements vs. tolerable misstatements/performance materiality
if: AM < TM/PM (20K < 50K) - account fairly stated
if: AM > TM/PM (70K > 50K) - account NOT fairly stated (tell management to adjust)
. FS LEVEL (done at very end of audit) - compare aggregated misstatements vs. materiality
if: AM < M (45K < 100K) - FS fairly stated
if: AM > M (150K > 100K) - FS NOT fairly stated (tell management to adjust)
*must adjust whole thing, not just adjust to make under materiality
How do the levels of the 3 elements of the Audit Risk Model work for determining gathering of evidence?
AR
———- = DR
IR x CR
IR^ > DR down > evidence^ (gather more evidence)
CR^ > DR down > evidence^ (gather more evidence)
*need to rely on self (auditor)
What is inherent risk? What are some examples of?
susceptibility of an assertion to MM (material misstatement), assuming no related internal controls
- identified risks based on auditors understanding of entity & its environment, including any fraud risk factors
- significant transactions/classes of transactions not processed systematically
- nonroutine transactions (obsolete inventory)
- significant estimates or judgements (bad debt exp)
- highly complex significant transactions
- application of new standards with significant effect
- revenue recognition in certain industries or for certain types of transactions
- significant industry-specific issues
- history of misstatement
What is control risk? What are some examples of?
risk that material misstatement will not be prevented or detected on a timely basis by entity’s internal controls
can be any number of things that fall under the entity’s internal controls - all pertaining to the 5 elements of control (CRIME)
- control environment
- entity’s risk assessment procedures
- control activities
- information & communication
- monitoring controls
What is detection risk? What are some examples of?
risk that auditor will not detect a material misstatement that exists in the FS
- sampling risk (sample does NOT represent the population)
- non-sampling risk (auditor error - inappropriate audit procedure, misrepresentation of results)
What is a business risk? what are some examples of business risks?
any external or internal factors, pressures or forces that bear on the entity’s ability to survive & be profitable
- significant changes in entity (mergers, reorganizations)
- significant changes in industry
- significant new products/services/lines of business
- new locations
- significant changes in IT environment
- operations in areas with unstable economies
- high degree of complex regulation
What are the Risk Assessment Procedures?
- INQUIRIES of management & others
- INSPECTION
- OBSERVATION
- ANALYTICAL PROCEDURES
*identify high risk areas!
What is the Risk of Material Misstatement Due to Error? What are some examples?
UNINTENTIAL MISSTATEMENTS or omissions of amounts/disclosures
- mistakes in gathering/processing accounting data
- unreasonable accounting estimates arising from oversight/misinterpretation of facts
- client mistakes in application of accounting principles relating to amount/classification/manner of presentation/disclosure (ex: misapply FIFO, GAAP to depreciation exp)
What is the Risk of Material Misstatement Due to Fraud? What are some examples?
INTENTIONAL MISSTATEMENTS
MISAPPROPRIATION OF ASSETS
- stealing assets
- paying for goods/services not received
- embezzling cash received
FRAUDULENT FINANCIAL REPORTING
- manipulation/falsification/alteration of accounting records/supporting documents
- misrepresentation in or intentional omission from FS events/transactions/significant information
- intentional misapplication of accounting principles relating to amount/classification/manner of presentation/disclosure
How many of the 17 principles of Internal Controls created by COSO (Committee of Sponsoring Organizations) are in each of the categories of the Internal Control Components?
CRIME (17):
Control Activities (3) - CA.TP -control activities, technology, policies/procedures
Risk Assessment Procedures (4) - SAFR
-specify, assess, fraud, risks
Information & Communication (3) - OIE
-obtain, internal, external
Monitoring (2) - SO.D
-ongoing/separate, deficiencies
Control Environment (5) - EBOCA -ethical, board, oversight/organizational, competence, accountability
What are the portion of the 17 principles of Internal Controls created by COSO (Committee of Sponsoring Organizations) under the category of Control Environment?
Control Environment (5): EBOCA
1 - ETHICAL - organization demonstrates commitment to integrity & Ethical issues
2 - BOARD - BOD demonstrates independence & exercises oversight of development & performance of IC
3 - OVERSIGHT/ORGANIZATIONAL - management establishes with BOD Oversight, structures/reporting lines in pursuit of objectives
4 - COMPETENT - organization demonstrates commitment to attract/develop/retain Competent individuals in alignment with objectives
5 - ACCOUNTABLE - organization holds individuals Accountable for their IC responsibilities in pursuit of objectives
What are the portion of the 17 principles of Internal Controls created by COSO (Committee of Sponsoring Organizations) under the category of Risk Assessment Procedures?
Risk Assessment Procedures (4): SAFR
6 - SPECIFY - organization Specifies objectives with sufficient clarity to enable identification & assessment of risks relating to objective
7 - RISKS - organization identifies Risks to achievement of its objectives across entity & analyzes risks as basis for determining how risks should be managed
8 - FRAUD - organization considers potential for Fraud in assessing risks to achievement of objectives
9 - ASSESS - organization identifies & Assesses changes that could significantly impact system of IC
What are the portion of the 17 principles of Internal Controls created by COSO (Committee of Sponsoring Organizations) under the category of Control Activities?
Control Activities (3): CA.TP
10 - CONTROL ACTIVITIES - organization selects & develops Control Activities that contribute to mitigation of risks to achievement of objectives to acceptable levels
11 - TECHNOLOGY - organization selects & develops general control activities over Technology to support achievement of objectives
12 - POLICIES & PROCEDURES - organization deploys control activities through Policies that establish what is expected & Procedures to that put policies into action
What are the portion of the 17 principles of Internal Controls created by COSO (Committee of Sponsoring Organizations) under the category of Information & Communication?
Information & Communication (3): OIE
13 - OBTAIN - organization Obtains/generates & uses relevant/quality information to support functioning of IC
14 - INTERNAL - organization Internally communicates information including objectives & responsibilities for IC necessary to support functioning of IC
15 - EXTERNAL - organization communicates with External parties regarding matters affecting functioning of IC
What are the portion of the 17 principles of Internal Controls created by COSO (Committee of Sponsoring Organizations) under the category of Monitoring?
Monitoring (2): SO.D
16 - SEPARATE or ONGOING - organization selects/develops/performs Ongoing and/or Separate evaluations to ascertain whether components of IC are present & functioning
17 - DEFICIENCIES - organization evaluates & communicates IC Deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management & BOD, as appropriate
What are some examples of financial reporting risk factors that fall under risk assessment of internal controls?
- changes in operating environment
- new personnel
- new/revamped information system
- rapid growth
- new technology
- new business models/products/activities
- corporate restructurings
- expanded international operations
- new accounting pronouncements
*a lot deal with change
What are some examples of financial reporting risk factors that fall under control activities of internal controls?
PIPS-CAR
- Performance reviews (independent checks)
- Information processing controls, including authorization & document-based controls
- Physical controls (assets/resources)
- Segregation of duties (CAR):
- Custody of assets
- Authorization
- Recording
An effective accounting system of information & communication of internal controls would encompass methods and records that will…?
- measure value of transactions properly (VALUATION)
- identify & record all valid transactions (COMPLETENESS)
- classify transactions properly (CLASSIFICATION)
- record transactions in proper period (CUTOFF)
- properly present transactions & disclosures (PRESENTATION)
*relate to management assertions
What are some tools/ways for the auditor to document their understanding of Internal Controls?
- copies of entity’s procedures manuals & organizational charts
- narrative descriptions (memos)
- internal control questionnaire
- flowcharts
What happens when the auditor chooses the substantive audit strategy over the reliance strategy?
sets control risk at maximum level (100%) - operating as if do not have controls (not relying on controls)
rely on substantive tests exclusively & extensively
*private companies can choose either strategy
What happens when the auditor chooses the reliance strategy over the substantive strategy?
sets preliminary control risk less than maximum (92%, 63%, etc.) - relying on controls
- if conclude, controls are effective, can proceed w/control risk being less than maximum - can get away w/less extensive substantive tests
- if conclude, controls are ineffective, auditor can…
1) test other controls?
2) control risk will be set to maximum (100%) and proceed as if under substantive strategy
reliance strategy is more work (have to test controls-up front costs), however, less of extensive tests (savings)
*public companies must choose reliance strategy as SOX requires internal controls to be audited
