Audit - Internal Controls AUD2 Flashcards
What is Management’s Responsibility over Internal Controls? (ACE)
Accurate and reliable financial reporting
Compliance with Laws and Regulations
Effectiveness of operations
SAS 109 (AU314) What are 5 components of Internal Controls? (CRIME)
- Control Activities - act. vs budgets, IT systems processing
- Risk Assessment - internal and external factors
- Information and communication - info systems & comm but establishing duties
- Monitoring - mgmt must monitor
- Control Environment (chopper)
What are the risk assesment procedures to assess RMM related to IC? (during the understanding control stage)
- Analytics
- Inquiries of management/staff
- Inspections of documents
- Observe application of controls
Key is auditor is trying to understand what controls have been implemented, not if it is operating effectively (during the understanding stage)
What are the 4 procedures of testing controls?
- Reperformance
- Inspection
- Inquiry
- Observation
Why should we reasess RMM to determine Detection Risk?
After testing controls, if operating effectively, then detection risk is lower, then you can do less substantive testing.
What does SOX require of management?
- Section 302: require officers responsible for maintaining effective IC and to disclose all known deficiencys to auditors and audit committee
- Officers required to report any fraud (material or not) regarinding an EE with roles in internal controls
What are inherent limitations of IC? (COCO)
- Collusion
- Override by Mangement
- Competence - cant prevent human mistakes
- Obsolescence - good controls can cease due to changes within the Company
What is reasonable assurance over IC?
if management can create perfect IC, it wouldnt do so because it is not cost effective.
SAS 99 (AU 316) What does this require?
Requires auditors to respond to management override of controls.
What is the acrenim ARC for in employee responsbiity over IC?
Authorization, Records and Custody. No one person should have two of the ARCs
What is a control deficiency?
when design of control does not allow management or EE in normal course of performing their assigned functions, to prevent or detect or correct mistatements on timely basis
What is significant deficiency?
deficieny or combination of, in IC that is less severe than material weakness, yet important enough to merit attention by those charged with governance
What is material weakness?
deficiency or combo of, in IC such that reasonablne/probable possibility that a material mistatement of entity FS will not be prevented/detected/corrected on timely basis.
What is SSAE15 - Attestation Engagement to Examine IC?
- It is considered an integrated audit and snould be done with FS audit.
- Scope under AICPA
- All deficiencies must be communicated in writing
- Auditor not required to search for controls less severe than material weakness, but if identifieid, should be communicated.
- Report is for General Distributions
Public Company - Internal Control Over Financial Reporting (ICFR)? AS5 & SSAE#10
- Existence of one or more material weakness warrants an “ADVERSE OPINION”. Unqualified opinon if no material weakness and scope limitation.
- Scope Limitation requires auditor to disclaim opinion or withdraw from engagement
- Key difference between non-issues report is that “correct” is not part of deficiency definition
- All deficiency must be communicated in writing to MGMT
