AUD CH 3 - Internal Control Flashcards
Steps in an Audit
- Prepare for the audit
- Obtain understanding the entity & environment (+ I/C)
- Assess RMM & Determine nature, timing, and extent of Further Procedures
- Performed test of controls
- Perform substantive procedures
- Formulate an opinion
- Issue audit report
Integrated audit
Required by PCAOB
- Audit for both internal control over financial reporting and of the financial statements
Non-issuer Test of controls
Draws a conclusion from the test controls as to whether or not the controls can be Relied upon on for the entire period for which Controls were tested
Issuer Test of controls
Opinion on ICFR As of a specific point in time, The date of the Financial statements
Why would control risk be set at Maximum (100%)?
- Internal controls are not sufficiently reliable
OR
- Cost of testing controls Exceeds the potential benefit
When is internal control considered ineffective?
If one or more material weaknesses exist (may Exist when the F/S are NOT Materially Misstated)
Which type of controls are more relevant to the financial statement Assertions?
Controls designed to produce accurate records And safeguarding Of assets
(*Controls for Adherence to laws and regulations & Promote efficiency are NOT relevant)
ACE
COSO Internal Control objectives
A – Accurate & Reliable Financial reporting (primary concern)
C - Compliance with laws and regulations (compliance auditing)
E - Effectiveness and efficiency of operations (operational auditing)
*we want reasonable assurance for these objectives that mgmt is responsible for (DIM)
CRIME
COSO Integrated Framework – Internal Control (5 Components)
C - Control activities (PIPS – ARCC)
R – Risk Assessment (external/internal factors)
I – Information & Communication
M – Monitoring
E - Control environment (CHOPPER)
CHOPPER
Control Environment (internal control)
C - Commitment to competence
H - Human resource policies/practices
O - Organizational structure
P - Participation of governance
P - Philosophy of management & Operating style
E - Ethical values & Integrity
R - Responsibility assignment
PIPS
Control activities
P - Performance reviews
I - Information processing (General vs Application Controls)
P - Physical controls
S – Segregation of Duties (ARCC)
ARCC
Part of PIPS (Control Activities – Segregation of Duties)
A – Authorization
R – Recording (Posting)
C - Custody of assets
C – Comparisons (Bank reconciliation)
UpDATeD
Steps to obtain understanding of internal control
- Up - Understand the DESIGN of CRIME (form) (perform Risk Assessment Procedures – AIIO)
- D - Document understanding (FIND) (form)
- Assess RMM (CR) (form)
- Test of controls (substance)
- e – Reassess RMM to det. CR
- D – Document Conclusions
AIIO
Risk assessment procedures
A - Analytical procedures
I – Inquiries (internal)
I – Inspections (docs)
O – Observation (Application of internal control)
What are the goals of risk assessment procedures?
To Identify those controls that might reduce (implemented? only) RMM (not evaluating)
- Identify potential misstatements
- Consider factors that affect the RMM
- Design TOC and SUB Procedures
What techniques are available for the Auditor to gain information about the client’s Internal control?
PIIO
P - Prior audits
I – Inquiry (Internal)
I – Inspection (auth forms/Procedure Manuals)
O – Observation
PIIO
Techniques available for the Auditor to gain information About the clients internal control Structure
P - Prior audits
I – Inquiry (Internal) (FORM)
I – Inspection (auth forms/Procedure Manuals) (FORM)
O – Observation (substance - ARCC)
What is the requirement for documenting the understanding of internal control?
Must document:
- key elements of the understanding (entity & enviro)
- five components I/C (CRIME)
- Sources of information
- Risk assessment seekers performed
(form is Influenced by the size and complexity of the entity)
FIND
Techniques that are commonly used for documenting the Auditor’s Understanding of internal control structure (step 2)
F – Flowchart
I - Internal control Questionnaire (ICQ) (yes = strength, no = weakness)
N – Narrative or memorandum
D - Decision table/Tree
Substantive Approach
No reliance on internal control
- RMM assessed high
- Controls appear Inadequate / Ineffective / Week
- sub. Testing Is Cost-effective (Test of controls cost > benefit)
Combined approach
Reliance on internal control
- RMM assess low
- Controls appear effective
- Expectation of operating effectiveness of controls
- Test of controls Cost effective
- sub testing ALONE doesn’t Provide enough sufficient audit evidence
How do you test substance of internal controls?
Test of controls
Which test the effectiveness of the design and operation of a control
What are the four procedures for testing controls?
Testing cycles for ARCC by doing RIIO
R – Re-performance
I – Inquiry
I – Inspection (documents)
O – Observation (MOST EFFECTIVE)
It controls have not changed since they were last tested, How often should the Auditor test the operating Effectiveness?
At least once every three years But the Auditor must determine there was no change through the performance of risk assessment procedures (AIIO)